SQLFORM doesn't work when browser cookies are disabled

[Gaurav Vichare]

After disabling firefox browser cookies, SQLFORM is unable to accept the form, values are not inserted in db, also it does not show any errors. It just submits the form and returns new empty form. Does SQLFORM work only when cookies are enabled?

I am able to submit the form successfully by adding argument  session=None and formname=None to SQLFORM.proccess(), but it adds another issue- form double submission. when page is refreshed after submission, it resubmits the values.

How to use SQLFORM when cookies are disabled, also prevent double submission?

Code:

#models/db.py
db.define_table("person", Field("name", "string"))

# controllers/default.py
def add_person():
    form = SQLFORM(db.person)
    # if form.process(session=None, formname=None).accepted:
    if form.process().accepted:
        response.flash = "form accepted"
    elif form.errors:
        response.flash = "form has errors"
    return dict(form=form)

<!-- views/default/add_person.html -->
{{extend "layout.html"}}

{{=form}}


Thank You
- Gaurav Vichare

[Anthony]

By default, forms include a hidden _formkey field, with the formkey also stored in the session. Upon submission, if the submitted formkey does not match one in the session, the submission is rejected -- this prevents CSRF attacks as well as double submission. If you set session=None, you disable this functionality. In that case, you must create your own mechanism to prevent CSRF attacks and double submissions (could be tricky without sessions/cookies).

Why can't you use cookies?

Anthony

[Anthony]

Note, to simply prevent a double submission via a page reload, after the initial submission, you can do a redirect to the same page (in that case, a double submission will only happen if the user hits the back button, but not upon a reload). If you want to prevent any double submission, you'll need to implement some persistent tracking on the server.

Anthony

[Gaurav Vichare]

Thanks Anthony for reply! I used session=None because SQLFORM was not working on disabling browser cookies.

Why can't you use cookies?

Currently I am using session and cookies, but I am worried about the users who disable/block their browser cookies (don't know  % of such users). 

I disabled my browser cookies from  browser settings, then I am not able to submit form successfully. So how can I make my web2py application(/SQLFORM) to work for users who disable their browser cookies? 

SQLFORM will not work if browser cookies are disabled?

Thank You

- Gaurav Vichare

[Anthony]

On Friday, December 30, 2016 at 10:50:12 AM UTC-5, Gaurav Vichare wrote:

Thanks Anthony for reply! I used session=None because SQLFORM was not working on disabling browser cookies.

Why can't you use cookies?

Currently I am using session and cookies, but I am worried about the users who disable/block their browser cookies (don't know  % of such users). 

I disabled my browser cookies from  browser settings, then I am not able to submit form successfully. So how can I make my web2py application(/SQLFORM) to work for users who disable their browser cookies? 

SQLFORM will not work if browser cookies are disabled?

People should not expect to be able to use websites that require form submissions and other types of user inputs and private data exchanges without cookies enabled. If you have users with cookies disabled, show them a message indicating cookies are required for some of the website functionality. They can always add an exception for your site.

I suppose you could move the session identifier to the URL query string, but that is less secure (if someone shares a URL, it provides access to their session). Another option would be to send a session identifier in the body of the initial page load and handle all subsequent requests via Ajax, sending the session identifier each time. But you'll need to architect a single page app in that case.

If you have no worries about CSRF attacks on the form in question, then feel free to set session=None, but it won't stop double submission (though as noted, you can minimize that via a redirect, or otherwise implement your own server-side solution to track whether a submission has been duplicated).

Anthony

[Gaurav Vichare]

Thanks Anthony, this is very helpful. 

In my case, to ignore users who disable cookies and  only show message to enable cookies is best solution. Prevention to CSRF attack and Double submission is more important in my case.

Thanks!