Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
Some forms are repeated over and over across a site, each one with a slightly different form-id. A good example is the commerce add-to-cart form. By default Drupal generates a unique CSRF form token for each instance (i.e. for each product display). In order to receive form tokens on cached pages for authenticated users, one request is generated for each of them by default.
Proposed resolution
The form API allows the customization of the CSRF token value. It is possible to alter that value form within a hook_form_alter. A good candidate as the form token value is the form_base_id.
Remaining tasks
User interface changes
API changes
| Comment | File | Size | Author |
|---|---|---|---|
| #4 | 2352239-use-base-form-id-for-tokens-4.diff | 10.47 KB | znerol |
| #4 | interdiff.txt | 6 KB | znerol |
| #3 | 2352239-use-base-form-id-for-tokens-3.diff | 4.48 KB | znerol |
| #3 | interdiff.txt | 4.93 KB | znerol |
| #2 | interdiff.txt | 2.89 KB | znerol |
Comments
Comment #1
znerol commentedComment #2
znerol commentedNote we need to do that on both cacheable as well as uncacheable versions of the page. Otherwise form-processing will not work as soon as the form is submitted.
Comment #3
znerol commentedImplemented an admin interface. No need to provide the possibility to restrict this feature to a selected set of roles, therefore removed that. The names of possibly affected modules are shown in the fieldset description, that should make it easier for people to assess the impact.
The feature now kicks in for all authcache-enabled users if the base form id matches a whitelist (defaults to "*").
Comment #4
znerol commentedAdding tests.
Comment #6
znerol commented