When a user attempts to submit an expired form, the user receives the error "This form is outdated. Reload the page and try again." There are several problems with this message:
- Reloading the page does not actually resolve the issue.
- The message is confusing: Outdated how and why? Try what again?
Steps to reproduce:
- Go to node/add/article and fill out the form without submitting it.
- In another browser tab, log out of the site and log back in.
- Now try to submit the form. You'll get the error, and if you simply follow the instructions and reload the page, then you will continue to get the error forever.
At a minimum, the error message needs to be updated with a more accurate description of the problem and especially accurate instructions on how to proceed.
There are two possibilities:
- Regenerate the form
- Inform the user of the issue.
- Force the user to regenerate the form
- Provide a link to do this in the error message.
- Generate a new token
- Inform the user of the problem
- Retain the user's form values
- Generate a new token
- Warn the user about the security implications
- Prompt the user to either review and confirm the submission or to generate a new form (as in #1).
#1 is clearly undesirable for usability (data could be lost).
#2 has the following potential issues:
- It risks further confusing the user
- It may introduce CSRF vulnerabilities
- It is not clear to the user what the implications of submitting the form are
- Hidden and similar form elements cannot be inspected by the user to ensure they contain intended values.
Based on the security implications, the consensus is to use solution #1 for now to fix the problem. Patch in #119 implements this change.
- The error message is broken enough that we are introducing a string change (see #114 and #115).
- Patch in #119 needs review and sign-off from UX maintainers.
- Once this fix is committed, consider options for a better UX for this in the long term.
User interface changes
String change. Both the error text and workflow for dealing with expired forms will be changed.
t('This form is outdated. Reload the page and try again. Contact the site administrator if the problem persists.')
Screenshot of old error
t('The form has become outdated. Copy any unsaved work in the form below and then <a href="@link">reload this page</a>.', array('@link' => $url))
Screenshot of new error
Original report by @Simx0r
Got the strangest thing on Drupal 6.1. This error occurred by editing ANY block/page/setting:
Validation error, please try again. If this error persists, please contact the site administrator.
Did not install/remove any modules or settings on the site itself. Only changed an existing block containing some html button with standard code, wich generated this error. When looking at the logfile the following 'out of the ordinairy' 404 appears wich I haven't seen before:
Again, did not change anything on the Drupal site itself, except editing a existing block with no special code.
Can't delete or edit anything on the site.
PASSED: [[SimpleTest]]: [MySQL] 32,895 pass(es).
PASSED: [[SimpleTest]]: [MySQL] 33,577 pass(es).
PASSED: [[SimpleTest]]: [MySQL] 33,589 pass(es).