One of our sites has been updated Drupal Core 7.83 to 7.87. There is a custom module that extends webform functionality for some of the forms on the site. The former dev wrote a function to generate a unique URL-safe base 64 token using openssl, specified by length, for the webform. It is used to check if the the $token submitted in form and exists in the user's $_SESSION. This check prevents the form's "Thank You" confirmation page from being visited without authentication since the webform submit handlers are overridden for submission data to be saved to an external database.
The custom confirmation page redirect is written as:
$form_state['redirect'] = array("form-submission/$nid/thank-you", array("query" => array("token" => $token)));
Which is seen in the browser address bar as:
www.domain.com/form-submission/1/thank-you?token=YmFzZTY0dG9rZW4=
Prior to the Drupal Core update, things were functioning as expected. However, since then, any submissions that come through with that custom redirect is throwing a
403 GET token=YmFzZTY0dG9rZW4=
Access Denied. You are not authorized to access this page.
On form submit.
When I modify
$form_state['redirect'] = array("form-submission/$nid/thank-you", array("query" => array("token" => $token)));
to
$form_state['redirect'] = array("form-submission/$nid/thank-you");
the form then sometimes goes through to the custom confirmation page, sometimes it doesn't. The results are inconsistent.
The modules webform and token are up to date.
Does anyone have any insight, tools, tips for troubleshooting or help they can share?
