2

Every once in a while the submit of a PloneFormGen-form (it happens on different forms, so nothing form specific) raises the "Form authenticator is invalid" exception.

I know this is the Cross-Site Request Forgery (CSRF) protection going off, but what is that exactly?

What triggers it and how can it be prevented (because, as far as i can tell all the triggering submits were valid, so no forgery going on :-)

Thanks!

dimboo
  • 145
  • 7

1 Answers1

8

To protect against from posts from other sources, many Plone forms, including PFG forms where you haven't turned it off, contain a cryptographic token as a hidden input. That token must be present in the submit, and the submit must be by HTTP POST.

When CSRF protection is turned on, a submit from any other source than the original form will trigger an error. You could also conceivably get the error if one user loaded the form, then in the same browser logged in as another user. Or, if the post was turned into a GET by a proxy or browser plug in.

You can turn off CSRF checking in PFG on a form-by-form basis. CSRF checking isn't really useful unless some valuable resource is being protected.

SteveM
  • 6,058
  • 1
  • 16
  • 20
  • Is there a way to turn off CSRF on form-by-form basis? I want to run a few tests on a custom registration form I've created but I'm having hard time finding documentation on this for Plone pre-v4.3 – Alex Volkov Sep 16 '14 at 21:18
  • 1
    It's an option on the default page of the form edit tab. – SteveM Sep 17 '14 at 01:56