[development] forms without session

Heine Deelstra hdeelstra at gmail.com
Sat Oct 13 17:10:50 UTC 2007


Dave Cohen wrote:
> I have a situation in which I can't preserve any session information for my 
> users.  No cookies are available.  I'm able to present pages OK, but all form 
> submissions fail.
> 
> They fail because each form includes a token, and on submit the token is 
> tested by drupal_valid_token().  The test always fails because the 
> session_id() is never the same between when the form was generated and when 
> submitted.
> 
> Now, I notice that drupal_valid_token takes a parameter $skip_anonymous, which 
> does almost what I want, it skips the test when the user is anonymous (why 
> only for anonymous users, I have no idea).  So it looks like someone had in 
> mind a situation like mine.  But as far as I can tell $skip_anonymous is 
> never used.  There's no way to configure FAPI to use it.
> 
> So my questions are these: can anyone explain to me better what's going on 
> here and what $skip_anonymous is for?  And if I submit a patch that makes 
> FAPI configurable to skip this check, is there any chance it would make it 
> into the next 5.x and/or 6.x release?
> 
> For the curious, my situation is a Facebook Application using Drupal for 
> Facebook <http://drupal.org/project/fb>.  When presenting a facebook "canvas 
> page", the requests come from facebook, not the user's browser.  And if the 
> facebook user is not "logged in" to the app, there is no session information 
> whatsoever available.
> 
> I'm interested in other approaches to solve this problem.  For example, if I 
> could somehow alter all local urls to include a ?mysession=nnnnn, which stays 
> the same through all links and form submits, that would be amazing.  Any 
> ideas are welcome.

The tokens protect against cross site request forgeries (CSRF) where a malicious site
causes your browser to submit a request to a site where you are logged in. As the
submission occurs with your credentials (but without intend) its result is the same as
when you submitted the form with intend.

The token is there to protect you against this.

Now, as an external site has the same permissions as anonymous user, there's no point to
protect their form submissions with such a token. As the token doesn't play well with page
caching on top of that, tokens are not included in (nor checked for) forms that are
displayed to anonymous users.

Forms where #token is set to false, do not get a token as well.

I'm not sure what you are doing exactly and haven't had the time to review the code on fb,
so I regrettably can't give you any helpful suggestions that are still secure.

Heine

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.drupal.org/pipermail/development/attachments/20071013/3c6b1e3a/attachment.pgp 


More information about the development mailing list