I'd like to discuss how the token errors problem could be handled. I'm calling it a problem, but that is my view of the way the new token system handles certain things.
The problem
To me it is a problem every time an error is shown to a visitor of a website. Visitors do not always understand something went wrong or do not know how to solve it. In some cases an error message can not be avoided, but in those cases the message must be as clear as possible so even the least capable visitor is likely to understand and fix what went wrong. I should not desire more of my website visitors.
Contao 2.10 introduced tokens that can be used only once. Additionally they are stored in the session; if the session is destroyed all open forms contain invalid tokens.
I'm having problems with the "Invalid request token" page that Contao will show whenever it cannot validate a token. This could be because the token was used, or simply removed when the session terminated. The page can be customized easily, so I will not focus on the technical text it shows which even "technically-above-avarage visitors" do not understand. The page invalid token request page stops all normal processes and does not allow to recover easily; going back will only work if the erroneous form is reloaded with a new request token which will clear all earlier input values the user might have filled in. This is still ok for a simple address form, but many forms contain a textarea which might have contained a lot of text. (I'm typing a long text right now; what if something went wrong and I lost it...)
How to get the problem
In Contao 2.10 I get the problem:
- at any moment I go back to any form that I submitted already and submit it,[/*:m:31w5xi0n]
- whenever I submit a form in an opened tab when I logged out of the website in another tab, just before,[/*:m:31w5xi0n]
- whenever I press the submit button twice (whilst waiting for the first time to load) (ok, can be solved with js),[/*:m:31w5xi0n]
- at times I was not paying attention to what I did; reason unknown.[/*:m:31w5xi0n]
Solutions?
I've already submitted this as an issue which got marked as invalid, so that would mean Leo does not agree this is a problem or misunderstood what I think is a problem. I'd like to submit it again, but that would be useless if I do not explain myself better or offer a better solution then the way Contao 2.10 functions.
Database tokens
I think the problem would be solved if the tokens are added to the database, containing the token and a status (something like open, failed, success, custom_status?). Instead of showing the "Invalid token request" page Contao would be able to determine if the form was processed correctly and show an appropriate message on the form itself on the page where the visitor was before. The tokens can be removed if they go stale or have been used x seconds ago.
The downside is slight increase of database calls, but only when a form was submitted.
So what do you think about the token system and the way the errors are handled? I think I made my views clear!
Also, I already know some people are having problems with it, Thyon's state redirect problem I have not encountered yet.
Bookmarks