If you're trying to use the #ajax framework, it won't work.

It comes down to this:

function ajax_get_form() {
  $form_state = form_state_defaults();

  $form_build_id = $_POST['form_build_id'];

  // Get the form from the cache.
  $form = form_get_cache($form_build_id, $form_state);
  if (!$form) {
    // If $form cannot be loaded from the cache, the form_build_id in $_POST
    // must be invalid, which means that someone performed a POST request onto
    // system/ajax without actually viewing the concerned form in the browser.
    // This is likely a hacking attempt as it never happens under normal
    // circumstances, so we just do nothing.
    watchdog('ajax', 'Invalid form POST data.', array(), WATCHDOG_WARNING);
    drupal_exit();
  }

form_get_cache returns FALSE because drupal_valid_token() returns FALSE.

The cache token that goes with the form is:
string(43) "EmlmK__bmhxC8zmQuWO2OOELkLFD0r4b210W9pyS-EU"

The one returned by the drupal_valid_token function is:
string(43) "Wio8WKgOo60LFv7gDTXQoZuwHT3isEjummR2b-v2aLw"

Any ideas on how I can get this to work? At the moment I've hacked includes/ajax.inc to include the token in ajax_pre_render_element().

Comments

aidanlis’s picture

I see it's probably not possible as session_id() is different for each request currently. I have added a user_login_finalize() to the login sequence in tokenauth which solves the problem for me (I don't mind if they are kept logged in).

Any suggestions on how this could be achieved otherwise would be awesome.

Bhuvana_Indukuri’s picture

Facing the exact same issue. Even with the latest version of Drupal 7 (Drupal 7.43). Any ideas or suggestions to fix the issue?

kkri’s picture

Issue summary: View changes

We had the same issue with a token auth page that has a commerce checkout form.
Our solution was to enable the system/ajax path in token auth, append the token to the AJAX link, and implemented the following exit hook:

/**
 * Implements hook_exit();
 */
function neo_commerce_exit() {
  // We create an anonymous session on tokenauth pages to ensure that the
  // AJAX forms keep the same #cache_token
  if ($_SESSION['tokenauth_auth'] == TRUE) {
    drupal_save_session(TRUE);
    if (strpos($_SERVER['REQUEST_URI'], 'system/ajax') !== FALSE) {
      unset($_SESSION['tokenauth_auth']);
    }
  }
}

Since the AJAX call is executed on pageload, this actually doesn't save a sessionid cookie in the browser.

cimo75’s picture

@kkri would you mind to elaborate a bit more about the solution? I am in the same need.
tx
Simone

kkri’s picture

@cimo75
On to the configuration page on yoursitesurl/admin/config/services/tokenauth you have to activate the drupal system AJAX path (system/ajax), and any other AJAX paths that you intend to use on the pages that will be accessed through access tokens.

Then all you have to do is to add the exit hook (you will have to adjust the AJAX path if you for some reason use different paths) I've posted above to a custom module to prevent creating a user session after the AJAX call. This will ensure that your site will still work properly even if you have code that relies on sessions.

One way to patch this issue would be to add an additional list of token auth pages that should be able to use AJAX, but I'm not certainly sure whether this can pose a security issue, so I haven't submitted a proper patch.