Thread

Yes, this works, but not perfectly. Even the own EE modules and features have some problems with it. For example in the Wiki module when someone searches and is hit with this error and clicks back, he cannot search anymore, because the page is not reloaded.

Like I said, this does not work in any scenario where the user hits the back button. What is buggy about this is that EE actually recommends to do so (go back in errors). When EE shows an error caused from this protection it tells the user to go back with a link in JavaScript that is basically history back.

So the user clicks that and goes back to the page, but the form will not work anymore, because the user has to actually reload the whole page in order to get a new XID (which he does not know).

This means he will try to input a new search or a new captcha code, or anything that requires again a re-try submission and he will hit the error over and over again.

The solution is to EE in the back link to actually not only send the user back but as well reload the page automatically or generate a new XID someway.

Lets be clear, most users actually do hit the back button when something goes wrong in a form, so this is a stopper for them. It will work fine only in the first submission and if there are no errors. For some things like search or captcha, etc, this does not work.

Let me put a simple example. Someone enter 2 letters in a search field in EE, using EE search feature, the minimum is 3, so EE will show the error that it requires at least 3 letters and with an option to go back. The user will click that link or go back with this browser and then he cannot search anything anymore unless he reloads the page which nobody does. So the search then stops working.

I see this on any form on site. Reset password, search, email submission etc

I’ve tried the XID hash input but this doesn’t work, neither do setting forms to non-secure (which seems counter intuitive).

Is this a bug? Seems very odd user behaviour — a UX blackhole — regardless of it’s intent.

Hi,

I am also having some issues getting the CAPTCHA to show using the exp:channel:form tag in EE 2.7.2. In addition, I have had no success using the

$config['secure_forms'] = "n";

in the config. Any other suggestions?

Interesting.  I think i am having this same issue.

I am using this little bit of code to load XML from a XML template.  The xml page loads great, but when jquery tries to load the XML it is broken.

jQuery.ajax({
  url: url,
  type: 'POST',
  dataType: 'xml',
  data: params,
  success: callback
 });

I’m going to try the XID option, I’ll send it as one of parameters and maybe that might fix this.  This totally broke a Google Maps with points plotted by xml file from within EE.

Question if I have multiple webforms, do i need multiple XIDs?  Also is there a way to define the XID for a session?  There seems to be a new XID generated with each page refresh, which might mean the XID I am passing through to my jquery.ajax call might already be expired?

Is there a way to make this XID thing optional? 

This is what I came up with today:

I wrote this little function to get the XID from my page:

/* June 13 2014 - function to get XID
================================================================*/
function getXID(show) {
 var myxid = document.getElementById("xid").value;
 return myxid;
}

And then later in my JS code inside of another function, I hit that function up to get the XID number, it gets added to the params{} which later get sent to the data part of the jquery.ajax call. It all makes sense to me, but it didnt fix the problem. I still get the error page instead of the XML.

params['XID'] = getXID(true);

Adding this line to config.php file resolved the issue i was having but I don’t know if it is a viable solution for me because my website may require SSL and a high level of security.

I’m curious because this worked and now i can submit via ajax jquery to load a template under the same domain, what other solution will I be able to do where i can enable this setting, but also still submit via ajax.

$config['secure_forms'] = "n";

I don’t really want to turn this off on my site.  How can i maybe just disable it for ajax submits? or send the necessary information to post?  As you can i am already sending the XID along with the post data in my functions above.

Thanks to Robin from ellislabs

I suspect the problem is related to changed in XID requirements, which are stricter in 2.7.  Any post data is going to require a valid xid.  It IS easy to make custom forms compliant- use the XID_HASH global in a hidden field:

<input type="hidden" name="XID" value="{XID_HASH}" />

Try adding that to any custom forms- does that take care of the issue?

that’s fixed it for me

This worked perfectly for me!