Contrib.social

form cache not deleted after submit

Open on Drupal.org →
Created on 26 February 2025, about 1 month ago

Problem/Motivation

In general the form cache is supposed to be deleted after a form was submitted. Due to the condition in drupal_process_form() this doesn’t happen when the page cache is in effect.

Handling of the form cache was improved with the security fixes in 7.27, but I think this condition was forgotten. This means in some cases it’s possible to “finish“ multiple times by navigating back in the browser history then submitting the form again (with the same form_build_id).

I did not check whether this applies to later Drupal versions.

Even though I use webform to trigger the bug I do think this a Drupal core issue.

Steps to reproduce

Setup

  1. Create a new Drupal site using the minimal profile.
  2. Enable the page cache (drush vset cache 1)
  3. Enable webform
  4. Create a new form with 3 components: an email field (unique), page break, a text field

Reproduce

  1. Navigate to the form
  2. Fill in the form and submit both steps → first submission is created
  3. Navigate back to the last form step using the browser history, then submit again. → a second submission with the same email address is created.

Proposed resolution

Change the condition to check for empty($form_state['build_info']['immutable'] instead of !variable_get('cache', 0).

Remaining tasks

Review & test patch.

User interface changes

None

API changes

None

Data model changes

None

🐛 Bug report
Status

Active

Version

7.0 ⚰️

Component

forms system

Created by

🇦🇹Austria torotil

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024