Hi, I’m currently having a problem with EE using forms.

When a form is submitted then it is checked to see if it is a duplicate form.
If the system thinks it is then instead of posting it then it takes the user to a page saying:

The following errors were encountered

  * You are not authorized to perform this action

The problems are twofold:

First the error message isn’t really appropriate for this error
Second its only checking the session ID and the user ID/IP to see if the message is unique, so if the user occidentally submits a form, then tries to go back to correct the mistake and resend it then it simply doesn’t allow them to do it. This can be solved by forcing a hard refresh on the page but most users are unlikely to think of this.

Thanks in advance.

Well, you are describing the status quo accurately. You can solve the second issue, in a way, by turning off “Process Form Data in Secure Mode”. As to the first issue, a feature request would be the way to go.

I’ve been having trouble with this issue, too.

It’s always hard to ask questions like this without a sharp tone, none implied here, but I’m wondering if it’s considered a priority in the development queue?

No, it’s not, Amyloo, as Ingmar says, this is the desired behavior.  The Secure Forms feature is a method of cross-site request forgery prevention, and the resulting behavior is quite intentional.  I’ll break the original poster’s concerns down to explain.

First the error message isn’t really appropriate for this error

This error message is intentionally obtuse - a detailed message giving the specific reason that the submission was not received would only give informative feedback to spammers and others attempting CSRF.

Second its only checking the session ID and the user ID/IP to see if the message is unique

If the contents were also checked, an attacker could easily bypass this feature and execute a CSRF attack by adding or changing a single character for each request.

if the user occidentally submits a form, then tries to go back to correct the mistake and resend it then it simply doesn’t allow them to do it

If you send a form without errors, then the submission has taken place already.  Hitting back at this point and resubmitting would be sending a new request, not updating the first.

Can you describe specifically where you yourself or your users are having difficulty because of the described behavior?  If I understand precisely where and how you’re “getting bit” so to speak, I might be able to provide some specific suggestions that can avoid this.

It’s not a technical issue, more a communications/constituent relations matter. Users who get the error don’t perceive they have done anything in interacting with the form that they have not done on other sites, they get the blunt error, and think we’re lame. I’ve had emails like “Big help your help form is, what do you mean I’m not authorized?”

Again, can you provide some details, Amyloo?  Normal legitimate users shouldn’t be encountering this except in the most extreme of circumstances.  Give me a concrete example: what form, what actions, etc.