- 🇭🇺Hungary Aron Novak Hungary, Budapest
https://www.drupal.org/project/protect_form_flood_control → is a very good candidate for solving this, having IP-based protection, we applied it successfully at a client project.
Hello,
Actually, I work on an implementation of rules for anonymous users who want submit some webforms.
For anonymous, a limit of submission for each created webform can be set up to prevent multiple submissions.
Actually, this feature is based on PHP Session like defined in checkUserLimit() in WebformSubmissionForm class.
When I test this feature, I play with private navigation, login/logout feature and the session lifetime. I notice the limits of PHP session with these tests : An anonymous user can overcome the limit of submission because its session is removed or overwritten.
What if we set up limit of submission for each webform, not with PHP Session but with Drupal 8 Flood system?
This feature exists in Drupal core and already use with Contact form. It needs a limit of submission and an interval, both already set up for webform in the admin page. It sets a restriction by IP and it's more efficient than PHP Session. The lifetime of the database entry is managed by an expiration entry and clean with cron.
If it's too restrictive, we can propose a select item to choose limit type : PHP Session or Database Flood.
I have already work with Flood and Webform with hook_form_alter() and I am really satisfied of the results.
So, we have two items to review:
If you are agreed with thinking, I will write a patch for the module and submit it to review.
This is my first issue to report a new feature, I try to do my best and sorry about my english ;)
Thanks for your supports!
Closed: outdated
5.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
https://www.drupal.org/project/protect_form_flood_control → is a very good candidate for solving this, having IP-based protection, we applied it successfully at a client project.