i have a few users who inform me that whenver the email-based “contact us” form is used, EE tells him that they have performed an “illegal function”. i am unable to duplicate the problem myself. can someone tell me what is the error message that is being described? does this error occurs with certain proxy IP or other situations? if so, how do i correc this?

Unfortunately, that error message does not ring any bells and I checked the script just to make sure with no luck either.  If you could get the exact error message that would be great.  Also, it might be a browser issue so see if they are using the same browser.  Perhaps exactly what they tried to send as well and then you can try sending it to see if you get the error.

hi, paul,

the user was able to reach me by another means. it turns out it was an authorization error. it appears that the default AOL browser is creating problem with the email based contact us form. do you know if this is a known issue? should i include something in my whitelist to deal with AOL browser?

I’ve come across a similar issue when testing contact us forms I’m building. The following might be what your users are experiencing:

During form testing, if I try and send two messages in a row using the form, it throws this error message:

The following errors were encountered

      * You are not authorized to perform this action

Return to Previous Page

I can resolve this by simply refreshing the form and submitting again. It seems as though once the form has been cached, it can’t be used again until it has been refreshed.

I don’t know why this happens, but my guess is that it’s a built in mechanism to prevent using the form for spam. There are probably ways around this, like setting tag caching to “no” or something, but I haven’t played around with it so I’m not sure.

It is not tag caching but Secure Forms, which is a universal feature for EE’s forms.  It prevents forms on an EE site to be submitted by bots or the like without considerable effort.  With AOL, they often cache pages and also use a proxy, which might change the person’s IP address.  We need the form to be fresh and used by the same IP address that loaded it that sent it.  That is likely your problem.

paul,

what is the solution then? i don’t want to turn off secure form. it is a good feature to prevent email spam.

Well, unfortunately most of our security code relies on the person loading the page themselves and their IP address not changing between page loads, which is unfortunately not something you can guarantee with AOL users and some people behind proxies.

There is no good solution here, since it seems impossible to guarantee security with some visitors to your site.  You could turn off Secure Forms and simply require membership for those pages, but that seems to be a great deal of effort and restricts their use.