Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2353
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦
Contact:

Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by P_I »

On one of my boards, running phpBB 3.2.7, a suspended user is reporting when they try to login they receive the "The submitted form was invalid. Try submitting again." message.

I've duplicated the problem on a localhost test board as well.

Shouldn't they be received a message that includes the "Reason shown to the banned" text?
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 52768
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by stevemaury »

What is your setting for Tie forms to guest sessions in the ACP, Security settings? If "Yes" change to "No and test.
I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2353
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by P_I »

stevemaury wrote: Tue May 21, 2019 7:05 pm What is your setting for Tie forms to guest sessions in the ACP, Security settings? If "Yes" change to "No and test.
Thanks for the quick reply. It was "Yes". Changed it to "No" and proper ban message does appear. Which leads to a follow-up question.

Is the ACP->Security settings->Tie forms to guest sessions something recent? I couldn't find it in https://www.phpbb.com/support/docs/en/3 ... al_server/. I don't recall ever configuring it, so perhaps the default value of "Yes" needs to be reconsidered?
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
EA117
Registered User
Posts: 2158
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by EA117 »

P_I wrote: Tue May 21, 2019 7:41 pm Is the ACP->Security settings->Tie forms to guest sessions something recent? I couldn't find it in https://www.phpbb.com/support/docs/en/3 ... al_server/. I don't recall ever configuring it, so perhaps the default value of "Yes" needs to be reconsidered?
Neither the "Tie forms to guest sessions" setting nor it's default of "Yes" are new. What is new in this situation since phpBB 3.2.6 and later are that the login form(s) now check the session ID.

Now that this change has been introduced to the login forms, it seems to be uncovering that more than a couple users are having some yet-unidentified issue in which the session ID will change, between the time the login form is presented to the time when the login form is actually posted as part of a login attempt.

"Tie forms to guest sessions" set to "Yes" is actually what phpBB intends, and is "the more secure setting." But disabling it has been necessary to work around why some users seem to encounter "invalid form", even though "everything else is correct."
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2353
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by P_I »

EA117 wrote: Tue May 21, 2019 9:39 pm "Tie forms to guest sessions" set to "Yes" is actually what phpBB intends, and is "the more secure setting." But disabling it has been necessary to work around why some users seem to encounter "invalid form", even though "everything else is correct."
Thanks. So the fact that a banned member gets the "invalid form ..." message rather than the ban reason message is a bug that has resulted from the changes made in phpBB 3.2.6. The workaround is to disable "Tie forms to guest sessions".
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
EA117
Registered User
Posts: 2158
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by EA117 »

P_I wrote: Tue May 21, 2019 10:14 pm Thanks. So the fact that a banned member gets the "invalid form ..." message rather than the ban reason message is a bug that has resulted from the changes made in phpBB 3.2.6. The workaround is to disable "Tie forms to guest sessions".
Correct, for how it exhibited in that user's scenario. Note what's actually expected is that this user was going to see "form invalid" for their current login attempt, regardless of whether they were banned or not. The fact they were banned was likely just a factor as to why they needed to re-login / why they were not already logged in.

e.g. You'll see "form invalid" even before the "wrong username or password" failure, when in a situation where the logged-out (guest) session ID is unexpectedly changing. Not just in the situation where some specific failure or success was ultimately expected in response to the login attempt.

This "logged-out session ID is unexpectedly changing" issue that is being worked around by disabling "Tie forms to guest sessions" might have existed for some time, and may or may not have its basis in some intentional behavior. We don't know yet; it hasn't been isolated, explained or identified.

But since few forms are typically used in the logged-out state (forgotten password, registration, maybe some extensions), it may have been less likely to be encountered. Now in phpBB 3.2.6 and later, even login must now pass this form check, and so the exposure to any issues that may exist is much higher.

That's just guessing; the issue, when identified, may actually be specific to the login path. And so those other logged-out form scenarios such as forgotten password or registration may simply not have been at any risk.
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2353
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by P_I »

Once again thanks for the detailed reply and information.

Is there an open issue raised in the phpBB tracker for this problem? I'd like to follow the investigation and resolution.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
EA117
Registered User
Posts: 2158
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by EA117 »

P_I wrote: Wed May 22, 2019 10:31 am Is there an open issue raised in the phpBB tracker for this problem? I'd like to follow the investigation and resolution.
Not that I'm aware of, nor have I created one myself. It is the topic I was raising in the Area51 discussion board, "Normal reasons" for FORM_INVALID which now also apply to login forms., just in case anyone had some hints or could point to session behavior documentation that would help my attempt to investigate. (Not that I'm the best one to be investigating; I'm just interested.)

Personally I feel like we need more to go on, or at least a way to duplicate the problem, in order to enter a bug that would be actionable. I feel like I was able to see a scenario of the session ID changing "unexpectedly" (to me anyway), but it didn't seem to result in the login form failure. Which just added to my confusion, or is a hint that I might not be on the right track yet.

Without something concrete to point to and saying "this is wrong", the topic of "some users get form invalid during login now" will get generic and historical responses such as "delete your cookies and try again." I'm currently operating under the premise that this issue is happening in scenarios where there shouldn't have been any problem successfully saving and persisting the session ID in the cookie.

And so the fact "the session ID changed anyway" needs to be understood, even if "delete and try again" shows success or not. Since even though it might not have been "a big problem" in the past, the fact that it affects login now in phpBB 3.2.6 and later greatly increases exposure to the issue. But I haven't had a useful amount of time at my end to continue pursuing it further.
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2353
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by P_I »

I can reproduce the problem 100% of the time on my localhost setup, using the phpBB QuickInstall tool and phpBB 3.2.7.

The steps are:
  1. I use the Populate board option to populates the board with the number of users, forums, posts and topics you specify below. Note that the more users, forums, posts and topics you specify, the longer it will take to process.
  2. As admin I then ban for 2 weeks one of the populated users, i.e. tester_1.
  3. I then switch to another browser, click the Login link which takes me to www.example.com/qi/boards/testing/ucp.php?mode=login (note there is no sid=xxxx present) and attempt to login as the banner user. I get the "The submitted form was invalid. Try submitting again." message.
  4. As admin, changing ACP->Security settings->Tie forms to guest sessions to No.
  5. Repeat the login attempt as tester_1 in the other browser and this time get the message "You have been banned from this board until Jun 5th, ’19, 09:59.

    Please contact the Board Administrator for more information.

    Reason given for ban: Because Tie form to guest session enabled

    A ban has been issued on your username."
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
Lady_G
Registered User
Posts: 273
Joined: Fri Jun 08, 2012 12:38 pm
Location: US

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by Lady_G »

Thank you for this information, as I can also reproduce this problem in my localhost test environment.

With my current ACP --> General --> Security settings --> Tie forms to guest sessions: "Yes"

my banned test account receives the "The submitted form was invalid. Try submitting again." message.

Changing the setting to "No", results in the expected "Reason shown to the banned:" message.

Is there any security risk if I change the setting as you describe, from "Yes" to "No", at this time? Or, should I wait for more information?
EA117 wrote: Tue May 21, 2019 9:39 pm Now that this change has been introduced to the login forms, it seems to be uncovering that more than a couple users are having some yet-unidentified issue in which the session ID will change, between the time the login form is presented to the time when the login form is actually posted as part of a login attempt.
In the past week, I have also been receiving "The submitted form was invalid. Try submitting again." message when I login to my production board from the Board Index. My login time coincides with my board's peak traffic times (heavy server load).

I cannot reproduce this problem, but it is happening infrequently (a few times, not predictable). This could be another indication of the "yet-unidentified issue" due to a timing delay between session ID check and login attempt.
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2353
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by P_I »

Reported as [PHPBB3-16066] Banned or suspended user receives "The submitted form was invalid. Try submitting again." - phpBB Tracker

It would be very helpful if someone from the phpBB development or support team could confirm there are no negative consequences of the workaround posted above to change the ACP setting of Tie forms to guest sessions from the default value of “Yes” to “No”.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
</Solidjeuh>
Registered User
Posts: 1788
Joined: Tue Mar 29, 2016 3:45 am
Location: Aalst (Belgium)
Name: Andy Dm
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by </Solidjeuh> »

P_I wrote: Thu May 23, 2019 1:30 pm It would be very helpful if someone from the phpBB development or support team could confirm there are no negative consequences of the workaround posted above to change the ACP setting of Tie forms to guest sessions from the default value of “Yes” to “No”.
Any news here? I also had to set this setting to "No".
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2353
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by P_I »

No news but the topic is marked solved. Still waiting for confirmation/recommendation on the setting from the phpBB team.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
EA117
Registered User
Posts: 2158
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by EA117 »

I'm definitely not the expert, and take a phpBB security developer response over mine any day.

But for what it's worth, the interpretation I have is that using the session ID in the form check for non-logged-on sessions makes it nearly impossible (instead of just "hard") for someone to script an HTTP POST request to attempt submitting the form without actually having visited the site & received the form from phpBB. (e.g. If you were trying to brute force a login, submit fake "I forgot my password" requests for multiple users, give fake votes in a poll that is accessible to not-logged-on users, etc.) i.e. To submit the form without giving phpBB the opportunity to deny providing you with the form, or for phpBB to change the form to include additional requirements.

Without the session ID included, it's still "hard" to do that, but with the session ID included its even more difficult. What I can't answer is how much benefit specifically the login form gets from this change, since there are additional things protecting the login form such as the fact that captcha countermeasures can be enabled after a certain number of failed logins.

I also can't answer what specifically led to making this change in phpBB 3.2.6, because there are no public details on what led to the "[SECURITY-228] - Require form token in login_box" issue addressed in phpBB 3.2.6.

So my characterization of why the "Tie forms to guest sessions" setting exists at all is that we were already "pretty safe" even without the session ID being included in the form key used for not-logged-on users. The intention was to "harden" and "become even more safe" by including the session ID in that form key.

As mentioned earlier, "Tie forms to guest sessions: Yes" has been the default in phpBB "forever", and the only thing that changed recently is that the form key check started being used in the login form, too. (And login, by definition, has always been a not-logged-on or "guest" user situation.) But whether it was just "general hardening" which led to the "[SECURITY-228] - Require form token in login_box" changes, or actually "in response to a specific issue or observation", I do not know.

We are losing some, but not all, of that security fix by setting "Tie forms to guest sessions: No". Because even without the session ID being included, there are still other components of the form key hash that are difficult to replicate without receiving the form from the phpBB server.

That form key hash is still being checked on the login forms starting in phpBB 3.2.6 and later, even when configured for "Tie forms to guest sessions: No". Leaving the session ID included in that hash would have simply made it "even more difficult" to "fake" one of those forms, same as it always has for any form even prior to phpBB 3.2.6.
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2353
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by P_I »

Very, very helpful. Thank you very much for the time and effort you've put into providing an understanding of the functionality and how it operates.

Although I'm definitely more knowledgeable about the issues at play, I'm stuck in a catch-22 situation wanting to keep my boards as secure as possible without any documented information that I can find on when it would be acceptable to change the ACP setting from the default value of Yes.

Clearly the hardening that took place in 3.2.6 and 3.2.7 still has some unintended consequences and bugs.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
Post Reply

Return to “[3.2.x] Support Forum”