Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hi,
i have some problems with ajaxified forms when i used authcache. I have a form that uses ajax to submit data and when i obtain no data from the ajax call. The problem is in includes/ajax.inc, function ajax_get_form() tries to obtain the form from cache using: form_get_cache, that function validates form token stored in the form cache, but the token is different for each user, so nothing is returned.
Can someone give me a tip to avoid this problem?
Best
David
Comment | File | Size | Author |
---|---|---|---|
#13 | 1946022-12-fix-ajax-forms.patch | 5.03 KB | znerol |
#11 | 1946022-9-fix-ajax-forms.patch | 3.31 KB | znerol |
#5 | Captura_de_pantalla_19_03_13_12_30.png | 505.9 KB | david.gil |
#4 | Screenshot from 2013-03-19 12:09:04.png | 118.51 KB | znerol |
Comments
Comment #1
znerol CreditAttribution: znerol commentedWould you mind installing the Developer Examples and check whether the form / ajax examples work on your site?
Comment #2
david.gil CreditAttribution: david.gil commentedHi Lorenz,
i have installed in a clean drupal install authcache + examples and the problem are still there.
What i did is:
1.- create 2 users
2.- with one of them access:
http://localhost:8082/examples/ajax_example/submit_driven_ajax
ajax is working...
3.- access with other user and ajax is not working. The problem is that forms cannot be obtained from form cache, see includes/ajax.inc function ajax_get_form (line: 323). In form_get_cache (form.inc), the system checks the validity of cache_token of the form (token is generated in common.inc drupal_get_token) and that token includes session_id, so i think the problem is there...
any ideas what to do?
thx in advance
David
Comment #3
david.gil CreditAttribution: david.gil commentedHi,
one workaround that i am working in is use a custom callback to avoid this form token validations, as is done in views. See:
function views_ui_ajax_get_form($form_id) {
in views_ui.module.
In my form i added a path to the #ajax command:
And a menu callback that reproduces system/ajax like views do.
This is the callback:
The main problem is security, without a token validation this could be a security hole.
What do you think?
Best
David
Comment #4
znerol CreditAttribution: znerol commentedActually authcache is supposed to fetch the form-token using an AJAX call after the page is built. Would you please try to verify whether the authcache AJAX-call is executed immediately after the page is loaded? See the attached screenshot for how this should look like when using chrome network inspector.
IMHO dropping the form-token is only an option when dealing with forms triggering idempotent actions (i.e. which do not alter any content). For example search.
Update: Forgot to mention, I was not able to reproduce the misbehavior. The AJAX-examples all work well here on a fresh install with authcache 7.x-2.x-dev.
Comment #5
david.gil CreditAttribution: david.gil commentedHi again Lorenz,
i install a really fresh drupal 7.21.
Installed authcache 2.x dev, and enabled: authcache, autcache_debug & authcache_ajax
In settings only has authcache cache backend.
Again i have the same problems: You can reproduce it as i show in the screenshot:
1.- I create 2 different authenticated users. I request examples page using one of then.
2.- Enter in other browser with the other user, and obtain the cached page. As you can see tokens are retrieved ok, but when i click ajax button i obtain blank response cause i report previously.
Best
Comment #6
znerol CreditAttribution: znerol commentedAn empty response normally indicates a problem on the server side. Would you please read through the apache-error log and check whether there are PHP errors reported? Perhaps you also find something in the drupal watchdog logs?
Comment #7
znerol CreditAttribution: znerol commentedOnly to be sure. Do you have both of the following lines in your
settings.php
?Comment #8
david.gil CreditAttribution: david.gil commentedHi lorenz,
yes cache backends are ok in settings.
- no php errors.
- in watchdog i have errors, reported by ajax_get_form, the problem is there:
If you debug: (includes/form.inc).
You will see that in common.inc is where token validation for form is check, and it gives me two different values:
Comment #9
znerol CreditAttribution: znerol commentedOk, I understand now whats going on. I will need some time to investigate whether it is legible to drop
#cache_token
from ajax forms when they are cached for the first time.As a workaround i suggest you to cancel page caching whenever your custom ajax form is rendered:
Alternatively you may exclude the pages where your form is rendered by listing the respective paths in the authcache page ruleset.
Thank you for reporting this issue and for giving such detailed information. I appreciate that very much.
Comment #10
david.gil CreditAttribution: david.gil commentedHi,
as a workaround i use what i said, i implement a custom ajax url callback that avoids this problem, it has a security issue but i can asume it. I cannot disable cache for that pages, cause they are the core of our app.
I wait your answer, if i can help you say me!.
Best
Comment #11
znerol CreditAttribution: znerol commentedJust as david.gil pointed out, the problem is that a per-user form-token is saved along with with a form to the form cache when a user is logged in (see form_set_cache. Upon retrieval of a form from the form-cache, the token is checked (form_get_cache. Therefore authcache currently does not work with cached forms. This is especially annoying because ajax forms require the form-cache.
In order to solve the problem I've implemented an additional authcache ajax command which simply retrieves a given form from the form-cache, generates a new build-id and stores it back into the cache on behalf of the current user. The new build-id is then injected into the dom. You find the code in the attached patch, its not in the repository yet.
This is somewhat a proof of concept. I guess that there may occur some problems when the page cache and form cache bins are invalidated at different times. For example if a form-cache entry is purged before the respective page from the page cache, the ajax command will not be able to clone that form and the form will break. Form cache entries expire after 6 hours (hardcoded in
form_set_cache
). Perhaps its possible to prevent the cache bins from getting out of sync by ensuring that the caches are flushed more often than every 6 hours.In order to make the new ajax command available, one needs to rebuild the authcache ajax registry. E.g. by issuing the following drush command:
Comment #12
david.gil CreditAttribution: david.gil commentedHi lorenz,
seems that in the patch is mixed: includes/AuthcacheFormBuildIdCommand.inc
best
Comment #13
znerol CreditAttribution: znerol commentedSorry for that. New patch attached.
Comment #14
znerol CreditAttribution: znerol commentedFixed in 9735682
Comment #15
znerol CreditAttribution: znerol commentedComment #17
pdendis CreditAttribution: pdendis commentedThe attached patches does not apply on 7.x-2.x-dev and on 7.x-2.0-beta3. It's for different versions
Comment #18
pdendis CreditAttribution: pdendis commentedComment #19
znerol CreditAttribution: znerol commentedThis specific patch has been committed to the repository more than a year ago (see commit 9735682. However it was subsequently discovered that the underlying problem was a Drupal core issue. It has been fixed in Drupal 7.27 and Authcache 7.x-2.0-beta3. Additionally please make sure that Cache Object API is installed and configured properly.
Please open a new issue if things still do not work even though everything is configured properly.