403 Access Denied on Webform submit with token

in flag

One of our sites has been updated Drupal Core 7.83 to 7.87. There is a custom module that extends webform functionality for some of the forms on the site. The former dev wrote a function to generate a unique URL-safe base 64 token using openssl, specified by length, for the webform. It is used to check if the the $token submitted in form and exists in the user's $_SESSION. This check prevents the form's "Thank You" confirmation page from being visited without authentication since the webform submit handlers are overridden for submission data to be saved to an external database.

The custom confirmation page redirect is written as:

$form_state['redirect'] = array("form-submission/$nid/thank-you", array("query" => array("token" => $token)));

Which is seen in the browser address bar as:

Prior to the Drupal Core update, things were functioning as expected. However, since then, any submissions that come through with that custom redirect is throwing a

403 GET token=YmFzZTY0dG9rZW4=

Access Denied. You are not authorized to access this page.

On form submit.

When I modify

$form_state['redirect'] = array("form-submission/$nid/thank-you", array("query" => array("token" => $token)));


$form_state['redirect'] = array("form-submission/$nid/thank-you");

the form then sometimes goes through to the custom confirmation page, sometimes it doesn't. The results are inconsistent.

The modules webform and token are up to date.

Does anyone have any insight, tools, tips for troubleshooting or help they can share?


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.