400 errors on submission (Bad Request: Unable to verify your data submission) CSRF #1440
-
What happened?We have 300 to 800 submissions a day, ~ 5% of them throw a 400 error We use blitz and the pages that include FF all of them call Site is hosted on GCP, uses Kubernetes (pods). Session is store on Redis. Our setup:
{% header "Content-Type: application/json; charset=utf-8" %}
{% set rfpForm = craft.app.request.get('form') %}
{% set dynamicRecipients = craft.app.request.get('recipients')| base64DecodeString | split(',') %}
{% set dynamicTemplateToUse = (rfpForm is same as('rfpVenue')) ? 'weddingVenues' : 'weddingVendors' %}
{% set form = craft.freeform.form(rfpForm, {
dynamicNotification: { recipients: dynamicRecipients, template: dynamicTemplateToUse }
})
%}
{% do form.registerContext %}
{{ {
hash: form.hash,
payload: form.payload,
csrf: {
name: craft.app.config.general.csrfTokenName,
value: craft.app.request.csrfToken,
}
}|json_encode|raw }}redis config: 'redis' => [
'class' => yii\redis\Connection::class,
'port' => App::env('REDIS_PORT') ?: 6379,
'hostname' => App::env('REDIS_HOST') ?: 'localhost',
'database' => 0,
'retries' => 20,
'retryInterval' => 500000,
],
'cache' => [
'class' => 'yii\redis\Cache',
'redis' => 'redis',
],
'session' => [
'class' => yii\redis\Session::class,
'as session' => craft\behaviors\SessionBehavior::class,
'redis' => 'redis',
],Errors and Stack Trace (if available)No response How can we reproduce this?.. Freeform EditionPro Freeform Version5.5.4 Craft Version4.10.5 When did this issue start?After upgrading from older Freeform version, After upgrading from older Craft version Previous Freeform Version3.x |
Beta Was this translation helpful? Give feedback.
Replies: 7 comments
-
|
Very sorry about this @DavidStrada. We'll have a developer check into it shortly. 🙂 |
Beta Was this translation helpful? Give feedback.
-
|
I see a change that can affect CSRF tokens in Craft 4.10.5 https://github.com/craftcms/cms/releases/tag/4.10.5 Investigating... |
Beta Was this translation helpful? Give feedback.
-
|
@DavidStrada Does the RFP forms still work? |
Beta Was this translation helpful? Give feedback.
-
|
I've replicated the
Have you seen craftcms/cms#15281 and enabled asyncCsrfInputs |
Beta Was this translation helpful? Give feedback.
-
|
@seandelaney Yes I've seen the changes on craft and asyncCsrfInputs is enabled |
Beta Was this translation helpful? Give feedback.
-
Forms were failing before 4.10.4 and we are on
Yes they do work locally, however since this is a 5 - 10% error is very difficult to replicate, and know exactly what's causing the issue, why does it work 95% of the time and fails on some situations? It's not because of extensions on the browser this has happen to people in the organization that have been able to submit plenty of forms successfully and 1 or 2 failed for some reason.
I haven't test this, however I do not think is a matter of FF4 vs FF5 unless the infrastructure behind this changed how form/csrf token is handle aside from validating it in a controller. |
Beta Was this translation helpful? Give feedback.
-
|
This does not appear to be an issue with Freeform or Freeform + Blitz. The issues cannot be replicated in testing/investigating. It is related to how the forms are set up, specifically in grabbing and setting CSRF tokens and the usage/storage of cookies/sessions. Better implementations for getting/setting CSRF tokens within Freeform forms have been suggested via direct message. 🙂 |
Beta Was this translation helpful? Give feedback.
This does not appear to be an issue with Freeform or Freeform + Blitz. The issues cannot be replicated in testing/investigating. It is related to how the forms are set up, specifically in grabbing and setting CSRF tokens and the usage/storage of cookies/sessions.
Better implementations for getting/setting CSRF tokens within Freeform forms have been suggested via direct message. 🙂