Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
The GUI does not retain the checked setting for "Force single use tokens". The database definitely has the correct configuration as proven by doing a drush cex and seeing that the resultant yml files do change as the settings is changed in the GUI. However, the checkbox in the GUI never shows checked (even when the setting really is true)
Steps to reproduce
- Install latest Drupal 9 using composer create-project drupal/recommended-project
- Configure Drupal using the GUI
- composer require drupal/anonymous_token
- Login as admin
- Enable Anonymous CSRF Token module using the GUI
- Clear all caches
- Go to the settings page /admin/config/system/anonymous-csrf-token
- Check "Force single use tokens"
- Click Save configuration
- The checkbox does not remain checked
- Clear cache and navigate back to the page. It still isn't checked.
Proposed resolution
The error only happens with a new install because there is no setting as of yet. The null coallesce isn't working as you would think on a fresh install. Fix line 39 in src/Form/SettingsForm.php
'#defalt_value' => $config->get('force_single_use') ?? FALSE,
Comments
Comment #2
baikho commentedThanks for the bug report!
Comment #4
baikho commentedFixed now, will tag a new release.