Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.The Webform Anonymous module seeks to allow webform content node authors obscure the submitter's identifying information for a particular webform node. It does this by limiting the display of uid and ip address information that is store in the submission table.
This is inherently susceptible to a determined administrative user who can examine database tables or use other means to discover identifying information. The only real solution is to ensure that identifying information is not stored or is one-way encrypted in the database. See this Webform Anonymous issue: #2350497: Data not suffeciently anonymized
The IP address is actually used in only two placed in Webform:
- To report to the administrator via the error log an attempt to use Webform as an agent of spam. For valid users of a confidential survey, such a report should not be a concern (unless they are in fact spammers, in which case they don't deserve confidentiality).
- To limit the number of submission for anonymous (i.e. not authenticated) users. Webform offers three options for this: cookies, ip address, and both. For a confidential webform node, cookies only would automatically be used.
The proposed implementation would be to record the IP address as normal during the creation of a node by an anonymous user. This allow the IP address to be available for spam checking. Immediately before saving the submission (presave time), the IP address would be replaced with a bogus value, such as (unknown). The (unknown) IP address would continue to be displayed on webform submission and reports to reassure administrators that no IP addresses are being saved.
If the option is turned off, then only future submission would record data. If turned back on, any existing submissions would be sanitized with "(unknown)".
An attempt to submit a confidential webform from an authenticated user account with either be logged out first or (more likely) greeted with a message that the user needs to log out first.
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | webform-confidential-2477735-2.patch | 15.15 KB | danchadwick |
Comments
Comment #1
danchadwick commentedNote: I would have liked to one-way encrypt the IP address because then it could be used for submission limit control. IP addresses, however are only 32 bits long (fewer in actual use -- not all IP address ranges are used). This isn't enough information to prevent a brute-force attack, even with a cryptographic salt.
Another feature: webform should display a status message to the submitter informing him/her that their IP address will not be recorded.
Comment #3
danchadwick commentedThis patch:
This feature cost the maintainer about $400. Funding is appreciated.
Committed to 7.x-4.x.
Comment #4
danchadwick commentedComment #5
fenstratCommitted and pushed to 8.x-4.x. Thanks!
Comment #7
mortenthorpe commentedI notice that the "Confidential" IP address recorded for a submission is actually "(unknown)", which makes me wonder how this is a good solution as clashes with IP-respecting validators will immediately classify these submissions as spam.
I propose
- Replacing "(unknown)" by "127.0.0.1" or the servers own IP-address
- Adding a boolean-column specifying that the submission is "confidential" - Because the IP address alone being the servers IP may be a result of a proxy-setup, cloud-hosted site etc.
Comment #8
danchadwick commentedRe #7: please open a new issue. Also please explain your use case. If a webform node is confidential, the the assumption is the admin is trying to NOT use the IP address and would not include them in emails or otherwise validate them.