When attempting to save page in Admin plugin I get an Invalid Security Token error message and page is not saved. I'm running the latest v1.1.0 rc3 version. My site lives on shared hosting.
I get this message when using Edge in Win10 on private network (not behind proxy).
It seems that it is Edge related.
Unfortunately this fix introduced more serious problems, forcing us to revert it.
I reopened and I will investigate further on how to address this better.
I think I nailed 🔨 it now!
This is still not working for me on a front end form. Is it possible that the fix only works for admin forms?
EDIT: And it's not working in the admin either.
@maxfrigge on Edge? And just on that browser?
@flaviocopes Edge and Internet Explorer 11 on Windows10.
You also tried Chrome (for example) and it has no error?
I'm not sure how this is in any way related to frontend forms.
Frontend forms do not act like Admin, they are regular HTML5 forms and there is no JS magic behind the scenes, you submit regularly as you would do with any other HTML form.
In admin the issue was related to the fact that we have a complex form and we handle a lot via JS which caused issues with IE in some circumstances. Frontend forms and backend forms are completely unrelated though.
Please could you share screenshots/urls of what exactly is not working?
I will update the system to the latest Win10 and Edge Version, because they seem to be rather old. Once I am done with that I will test multiple browsers and report back. From what I have seen now the nonce is getting send to the server as expected. I am not saying that this is due to the "send twice issue", but I can say for sure that I was not able to submit either frontend nor admin forms due to nonce validation.
Will get back with results asap.
I have upgraded the system and setup the web server with new website data. Dumped all caches etc.. here are the results.
In Chrome everything works just fine.
Frontend forms are working now (all browsers).
MS Edge keeps showing errors in Admin (Invalid security) as soon as I navigate to the Pages section. When I edit it a Page it does save the changes, but I also get the invalid security token error message.
Ok. So half of the issue seemed to be related to caching. As described in #764 the global cache settings seemed to be applied in the admin too.
Removing the cache settings fixes all issues on MS Edge.
Seems that all pages with forms should never be cached, to avoid old nonces from being used.
Could this maybe be enforced by the forms plugin?
Good find, pages in Admin should not use any caching setting.
I may have found the core the issue where two forms are submitted.
There are two forms in the markup with id blueprints the actual blueprints form.. and another one for a modal popup used to move pages.
The submit button for the page form is outside the form and uses a form=blueprints attribute to submit the form. It seems that browser, which support this feature handle it in a way where only the first form with this id gets submitted. IE however doesn't support this feature and the polyfill causes both forms to be submitted.
I am about to create a PR.
Merged the PR, thanks!
No worries. Thanks for Grav :)
Maybe @w00fz commit can now be reverted.. I haven't had the time to test this.
I think it's fine to keep, in case somehow double form submission still happens we at least catch it via JS.