Some ISP's, like AOL, change a user's IP address from one page view to the next. This will cause a problem with the new forms API. Here's how:
1) When a form is first displayed, the IP address is used to create an MD5 token (TOKEN1) in the drupal_get_from() function.
2) When the form gets submitted, another MD5 token is created (TOKEN2) when in the drupal_validate_form() function.
3) TOKEN2 is compared to TOKEN1. If the two don't match, an error occurs.
4) The problem is, of course, an AOL user could have an IP address of 12.12.12.12 when viewing the form but an IP address of 12.12.12.99 when submitting it. Now the form will not validate.
Someone has suggested using the Drupal session ID. But I'll let someone else figure out the details.
Comment | File | Size | Author |
---|---|---|---|
#3 | token.patch | 594 bytes | chx |
Comments
Comment #1
kbahey CreditAttribution: kbahey commentedSome entire countries are behind proxies and each page view will get a different IP address.
Here is a related issue in e-commerce
http://drupal.org/node/35344
Comment #2
dopry CreditAttribution: dopry commentedThis seems to apply to form.inc token still seems to be checked against IP...
updating version to match.
Comment #3
chx CreditAttribution: chx commentedLet's use the session_id then. (Note: this is not a form API bug.)
Comment #4
Dries CreditAttribution: Dries commentedCommitted to HEAD. Thanks.
Comment #5
varunvnair CreditAttribution: varunvnair commentedErrr... corrected minor typos in the title.
Comment #6
tomsys CreditAttribution: tomsys commented..jummmmmmmmmm,
there is a small bug, in the form.inc you should adjust function drupal_validate_form(.... to something like this to make this .patch work properly.
..otherewise it will never validate the form, you have forgot there previos IP address validation conditions ... $_SERVER['REMOTE_ADDR']
.. now shoud be session_id() as well
Regards,
T.
Comment #7
archetwist CreditAttribution: archetwist commentedtoken.patch did the job. I've successfully posted a test comment using Tor to change my IP before clicking the Preview button.
Comment #8
(not verified) CreditAttribution: commented