views:

425

answers:

1

Drupal inserts a form_token as a hidden field when it renders forms. The form_token is then checked on form submission to prevent cross-site request forgery attacks. The form data that is submitted is guaranteed to have come from the original form rendered by Drupal.

However, forms using the "GET" method shouldn't need this token. All it does is lengthen and uglify the resulting URL.

Is there any way of suppressing it?

+3  A: 

Yes, there is a way, but use it consciously (see warning below):

If you create the form yourself, adding

$form['#token'] = FALSE;

to the form definition array should prevent a token from being generated in the first place.

If you are dealing with an existing form, you can bypass the token validation process by unsetting the '#token' element on hook_form_alter:

// Example for removal of token validation from login (NOTE: BAD IDEA!)
function yourmodule_form_alter(&$form, &$form_state, $form_id) {
  if ($form_id == 'user_login_block') {
    unset($form['#token']);
  }
}


Warning: Given your question, I think there is a slight misconception concerning the difference (better, the lack of a difference) between GET and POST requests.

... on forms using the "GET" method shouldn't need this token. All it does is lengthen and uglify the resulting URL.

This is wrong! GET and POST are just two different, but mostly equivalent methods of transmitting data from the client to the server. Since POST is better suited to transfer large amounts of data (or difficult formatted data), it is the established standard for submitting forms, but it is in no way safer/unsafer or more/less secure than GET requests. Both type of requests can be tampered with by malicious users in the same ways, hence both types should use the same protection mechanisms.

With a GET request, the token does exactly the same as with a POST request - it proves to the server that the submitted data comes from the same Browser on the same machine as the request he build the form for! So you should only remove it if you are sure that the request can not be misused via XSRF.

Henrik Opel
The main difference between GET and POST is that according to the HTTP spec GET is supposed to be "safe". This means that XSRF attacks aren't as much of a problem - tricking a user's browser into making a GET request shouldn't cause any state change on the server anyway. That's why I think the form_token is superfluous.
ctford
That's right - in theory :) The important words here are "supposed to be" and "shouldn't". The difference is just a suggestion/best practice, but nothing is stopping you or other developers from using GET requests for 'unsafe' stuff and it is done quite often out of convenience, as a simple link is implemented quicker and more lightweight than a form. But sure, if you know that what your GET does is harmless, remove the token - I just wanted to stretch the point that GET is not 'inherently' safe and that the removal of token handling should be a conscious decision and not happen automatically.
Henrik Opel
That said, I think I stretched that point a little to far given your question - I edited the answer accordingly, sorry for going a bit overboard with this ;)
Henrik Opel
I didn't really make it clear in the question. Thanks for your explanation and for refining your answer.
ctford

related questions