Last updated 28 August 2014. Created on 21 November 2013.
Edited by znerol, adammalone. Log in to edit this page.

Please note, that this is an advanced topic. Blindly following the advice given here will potentially render a site insecure and might lead to data leaks.

In Drupal every form is protected against Cross-site request forgery (CSRF/XSRF) attacks by default. The implementation follows the synchronized token pattern favored by OWASP. In short whenever a user is logged-in into your site, a unique token gets embedded as a hidden input field into any form. Because this token is user-specific, Authcache normally cannot cache a page for authenticated users when there is a form on it.

The Authcache Form module provides means to retrieve form tokens using Ajax or ESI and inject them into a page retrieved from the cache. This mechanism allows us to cache even pages with forms for authenticated users. However this is on the expense of having one more HTTP request hitting the server per form unless the fragment already has been cached in the browser.

Disable form-token retrieval for search

Some forms do not trigger any data-alterations on the server-side, e.g. search forms. It is therefore debatable whether they need to be protected against CSRF attacks at all because there is little destructive potential caused by executing a search on behalf of another user. In order to exclude search forms from CSRF protection visit Administration » Configuration » System » Authcache » Form and expand the fieldset Remove form tokens. Then enter the form-ids of the forms where form tokens should be removed one per line. E.g.


Disable form-token retrieval on the commerce add-to-cart form

Typical e-commerce sites do not require users to log-in in order to use the site. I.e. anonymous users are allowed to add products to the cart. Only when proceeding to checkout, user are required to sign-in.

For such sites where anonymous and unprivileged authenticated users enjoy exactly the same functionality on product display pages it might be justifiable to remove the CSRF protection from the add-to-cart form. Add the following pattern to the list of the Remove form tokens fieldset (see above) and restrict form token removal to unprivileged roles:


More information on CSRF prevention is available on the following sites:

search-form-tokens.png79.38 KB

Looking for support? Visit the forums, or join #drupal-support in IRC.