A change to the Webform module to allow for cookies as the only type of validation for a user. Less secure, but allows several anonymous voters behind a single IP address to vote freely on a Webform.

Changing the option in admin/settings/webform from:

[ ] Allow cookies for tracking submissions

To something more like:

Track anonymous submissions by:
( ) Cookie (least secure)
( ) IP Address
( ) Both IP Address and Cookie (most secure)

Members fund testing for the Drupal project. Drupal Association Learn more


xmacinfo’s picture

I agree. Current limitations are not adequate for anonymous users.

When first using this module, I erroneously thought limitation was based on IP. I would welcome any change where limitation would be more friendly for anonymous users.

However, my first wish is for limitation by IP for anonymous users.

quicksketch’s picture

xmacinfo, they currently should be limited by IP already.

If it's not however, after these changes it definitely will be. :)

xmacinfo’s picture

I forgot to mention that I'm using 5.x-1.10. With this version a limit will also limit anonymous user too strickly, whatever their IP.

Should I consider upgrading to 5.x-2.0-beta3? Usually I try to install only release version.

goldoak jp’s picture

I'm having problems with this issue also - using 5.x-2.0-beta3 - where the submission limit applies to anonymous users regardless of IP address.

So it allows 'only one anonymous user submission' - instead of allowing 'only one anonymous user submission per IP address'.

Any chance there will be a patch available soon? Or some instructions for a fix?
Even it is just to limit anonymous submissions by IP address, that would help.

Otherwise, the module works great for unlimited submissions or for limited submissions by authenticated users.


xmacinfo’s picture

Well, you do experience the same issue I'm experiencing with 5.x-1.10. I guess I won't install 5.x-2.0-beta3, after all.

I would also like to know how to fix the issue.

mgenovese’s picture

To make this functionality complete, I would add the fourth option to have NO anonymous user validation. This would be most useful for debug when users have problems submitting forms.

quicksketch’s picture

No validation seems like it'd be unnecessary. You can just set the option to not limit the submissions right?

@aabdallah, you were planning on implementing this I thought. Is that still the case?

mgenovese’s picture

No validation seems like it'd be unnecessary. You can just set the option to not limit the submissions right?

No, because that affects registered users submission restrictions. I'm looking for a way to absolutely turn off any type of anonymous user validation, essentially for the time when problems arise with anonymous users.

quicksketch’s picture

Status: Active » Closed (won't fix)

Marking as won't fix as there is a lack of interest in implementation. Please reopen if interested in implementing.

xmacinfo’s picture

Status: Closed (won't fix) » Fixed

Looks like this is already implemented. At least in the 6.x-2.3 version. So the fix might be there for older versions as well and in 5.x-2.3.

See Avanced options:

[√] Allow cookies for tracking submissions
Cookies can be used to help prevent the same user from repeatedly submitting a webform. This feature is not needed for limiting submissions per user, though it can increase accuracy in some situations. Besides cookies, Webform also uses IP addresses and site usernames to prevent repeated submissions.

I have not tested these options yet, though.

quicksketch’s picture

The allow cookies option has been there since the 1.x releases, it adds cookies in addition to username or IP detection.

The real complaints here probably stemmed from the IP Detection not working adequately, where it wasn't checking X_HTTP_FORWARDED_FOR, so an entire group of computers might not work if they were behind a proxy server. So currently the system is now set to check this value, so it significantly reduces the likelyhood of this problem.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

vanko’s picture

Version: 5.x-2.x-dev » 6.x-2.8

There's my dirty hack for 6.x-2.8.

***I'm doing this just for one survey, please consider before applying!***

To allow voting of multiple users behind single IP, I did the following (webform v. 6.x-2.8!!):
In 'webform_submissions.inc', at line 269 (the last SQL query in the file) I leave just the second part of the OR statement, so the line becomes:

"WHERE (uid > 0 AND uid = %d) ".

Generally, this way the IP address just don't get checked. That's enough for me, but keep in mind that this way you rely on cookies only for tracking if user has voted. Cookie removal, as you know, is easy. Also that easy is 2nd voting from a different browser.

quicksketch’s picture

Version: 6.x-2.8 » 6.x-2.9
Status: Closed (fixed) » Active
NZWayne’s picture

I am using Webform 6.x-2.10 and have tried #13's hack but it has not made this work for me, I get no difference what so ever. I have 50 users using Thin Clients and Remote Desktop, each having the same IP address, the Webform has to be anonymous, it works if I make it Unlimited but not if I make it Limited to 1 submission, which is what I need, and would really appreciate any help that I can get what so ever please. Thank you in advance.

petertoen’s picture

I back NZWaynes request for a possibility to switch off IP checking when restricting the number of submissions in a webform. I would realy apreciate it if this could be provided.

loophole080’s picture

#13 worked for me using webform 6.x-3.4 (line 446 in webform_submissions.inc')

Danny Englander’s picture

Unfortunately I could not get # 13 to work with webform 3.6. It looks like the query has changed but I am not sure. I also have a situation where I will have multiple people submitting from the same IP and want to impose a limit of 1 for each person using only cookies.

RaF7’s picture

Version: 6.x-2.9 » 7.x-3.9
Priority: Normal » Major

In all honesty, this is major, perhaps even critical? At the moment, if restricting submissions to 1, your webforms are pretty useless for intranets...and for users working behind the same IP.

For whomever want's a quick (but dirty) fix in 7.x-3.9 (probably similar in 6.x-3.9 - haven't checked):

Change webform.submissions.inc (starting at line 808)

  if ($num_submissions_database >= $node->webform['submit_limit'] || $num_submissions_cookie >= $node->webform['submit_limit']) {
    // Limit exceeded.
    return TRUE;


  if ($num_submissions_cookie >= $node->webform['submit_limit']) {
    // Limit exceeded.
    return TRUE;

This skips restricting submissions based on IP, and only uses cookies. Far from ideal, but does what I currently need.

Danny Englander’s picture

@RaF007 I noticed that you changed this to Drupal 7. Is there a chance you can open a separate issue and this issue can be changed back to Drupal 6 as it was originally opened for?

quicksketch’s picture

It doesn't matter which branch it's in, the 3.x versions of Webform are maintained in sync and both versions get features at the same time. There's no need to have two issues for the same feature request.

hixster’s picture


bluemuse’s picture

Yes, please, to this feature! We're using webform to run a nationwide survey and some of the respondents are working in an office using one IP.

jlea9378’s picture

I would also like this feature. We have computer labs where different users will be logging into the same computers, and so the IP address will remain the same but the cookies will be different.

Ideally I would like to be able to choose on a per webform basis whether to limit by IP address, cookies, or both (as opposed to a global setting). Not sure if that's doable though.

rv0’s picture

A workaround for all this is adding an email field, and in the field settings ensure that only unique submissions are allowed, and prefill it for logged in users.

jjma’s picture

It would be nice to have this as a feature within the version 6 module. As it was point 19 worked for me using the 6 branch of web form.


markabur’s picture

Oh! I had assumed that the existing cookie implementation was there in order to *allow* multiple submissions per IP, not to block them. I'm definitely interested in a way to restrict forms to one submission per computer, ignoring the IP number.

amaisano’s picture

Great tip @rv0! Works with 6.x too - thank you.

jmrivero’s picture

How about move the cookie check and return inside the uid=0 and webform_use_cookie conditional and leave the validation with the database and cookie untouched outside like this?

  if ($user->uid == 0 && variable_get('webform_use_cookies', 0)) {
    $cookie_name = 'webform-' . $node->nid;

    if (isset($_COOKIE[$cookie_name]) && is_array($_COOKIE[$cookie_name])) {
      foreach ($_COOKIE[$cookie_name] as $key => $timestamp) {
        if ($node->webform['submit_interval'] != -1 && $timestamp <= time() - $node->webform['submit_interval']) {
          // Remove the cookie if past the required time interval.
          $params = session_get_cookie_params();
          setcookie($cookie_name . '[' . $key . ']', '', 0, $params['path'], $params['domain'], $params['secure']);
      // Count the number of submissions recorded in cookies.
      $num_submissions_cookie = count($_COOKIE[$cookie_name]);
    else {
      $num_submissions_cookie = 0;
    if ($num_submissions_cookie >= $node->webform['submit_limit']) {
        // Limit exceeded.
        return TRUE;

  if ($num_submissions_database >= $node->webform['submit_limit'] || $num_submissions_cookie >= $node->webform['submit_limit']) {
    // Limit exceeded.
    return TRUE;
grndlvl’s picture

Version: 7.x-3.9 » 7.x-4.x-dev
Status: Active » Needs review
2.43 KB

Here is a patch that adds a setting to check cookie only. Maybe there should be yet another settings to check cookie & user?

quicksketch’s picture

Thanks @grndlvl for your patch! That definitely demonstrates this is not a particularly challenging option to add. Rather than using two checkboxes (one of which hides automatically), I find it to be more intuitive to use radio buttons with 3 options:

Track anonymous users by:
(•) Cookie only (least strict)
( ) IP address only
( ) Both cookie and IP address (most strict)

Other than the name of the option, this patch uses the same approaches as yours. Thanks for moving this to 4.x also. Since new features are no longer being added to 3.x branches.

quicksketch’s picture

Revised update hook that deletes the old setting "webform_use_cookies" and is double-run safe.

quicksketch’s picture

Status: Needs review » Fixed

Committed to 4.x branch. Thanks @grndlvl!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

modiphier’s picture

Issue summary: View changes

webform 6.x-3.20

got half way through adding the patch and notice some of the variables change from user to account so I scrapped the idea.. Is there a patch for the version of webform I am using. I am having some idiots click more than once even though I have more than one html markup with a note in red to just click once. I can't limit to 1 per day or hour due to network users. I have the hide submit button module installed but can't seem to get it to see the webform submit button.

Any suggestions?