Hi folks,

A webform that I built recently gave me a real scare the other day - a colleague on their PC, not logged in, could see the stored values I'd entered previously on my PC! We managed to get the conditions to happen a few times and seemed to be able to stop it by un-checking the 'auto save draft' settings of the webform (and clearing the cache).

However, I'm still worried that this isn't totally fixed as some of the values my colleague saw was never stored in the webform submission - I had a presave hook to strip them out of the submission before saving to the DB. This leads me to conclude it may be the form_state 'cache' that's being shared out to other anonymous users - something I didn't think should ever happen with Drupal FAPI. Aaaaand - the save drafts feature isn't supposed to do anything (except save partial submissions, which we liked ^ now lost) for anonymous users.

My form is:

- Multistep, 3 pages
- Uses Webform AJAX to load form-pages & confirmation without reloading the whole page
- Has a presave hook to strip out sensitive data from the submission
- Has a custom submit handler (kicks in before the webform submit handlers 'webform_client_form_pages' & 'webform_client_form_submit') to do some backend processing with the values
- Has a custom validation handler (after the webform validation handlers)
- We don't have varnish (yet) only Cloudflare (resource files only)
- Anonymous don't have permissions to any webform submissions - not own, other, edit, etc...

Anyone have an idea how values from Anonymous user #1 (it was specifically field values on pages 2 & 3) was seen on Anonymous user #2's computer? I didn't think this was possible and shocked me when we made it happen 2-3 times :S

Is it the form cache? But those Build IDs are pretty damn unique...
It it the auto save drafts? But that isn't supposed to bring back values if UID == 0...

Any feedback from you beautiful people is very warmly welcomed.

Many thanks in advance,
Chris.

Comments

quicksketch’s picture

quicksketch
he/him
CreditAttribution: quicksketch commented

Hi Chris, thanks for the report. If this is reproduceable, this is definitely a bug. However, what I'm confused about is that the "draft" functionality isn't supposed to function for anonymous users at all. Have you applied any patches to your site (in particular, #1932560: “Save draft” form button for anonymous users)?

If not, could you try upgrading your site to the latest 4.x release (beta3), so you're running the same code that we'd be fixing.

mogwaay’s picture

mogwaay CreditAttribution: mogwaay commented

Hi quicksketch,

Thanks for getting back to me. We're not using any patches for webforms at the moment, so as you say the auto-save shouldn't do anything for our anonymous users (except for save 'draft' submissions on our multi-step form for us to see).

I still think some level of caching is my enemy here as we could only reproduce the problem on our production server - but we only use Cloudflare at the moment (no Varnish yet) and that should ignore JSON requests (we use webform_ajax to paginate via AJAX).

I'll try and find time to see if we can update to the most recent version of v4 webforms, but I might not find the time for a while, have other projects I need to move onto. And, touch-wood, we're not seeing any issues at the moment.

I'll let you know if I get something a bit more concrete - big thanks again for getting back to me.

Have a good day!

Cheers,
Chris.

quicksketch’s picture

quicksketch
he/him
CreditAttribution: quicksketch commented
Status: Active » Postponed (maintainer needs more info)

It sounds like this might be a bug, but with no further information I don't think we can do much here. Let me know if you have more information here, otherwise we may just close this issue.

DanChadwick’s picture

DanChadwick CreditAttribution: DanChadwick commented
Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)

Closed for lack of activity