Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Lady_G
Registered User
Posts: 234
Joined: Fri Jun 08, 2012 12:38 pm
Location: US

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by Lady_G » Sat Jul 27, 2019 6:39 pm

(phpBB version: 3.2.7)

My board is receiving support requests from banned members who receive the "The submitted form was invalid. Try submitting again." message. They are unable to login (and therefore do not know they were banned).

I can reproduce this behavior with my production database in a localhost test environment. I confirm that changing "Tie forms to guest sessions:" from Yes to No will fix the problem.

Is there a work-around from the development team until [PHPBB3-16066] Banned or suspended user receives "The submitted form was invalid. Try submitting again" is resolved?

I do not want to reduce my security protection for the sole purpose of informing a banned member that he has been removed from my board.

I recommend removing the "Solved" icon in the topic title until the development team provides a work-around (or determines that we must wait for the bug to be fixed).

User avatar
EA117
Registered User
Posts: 1069
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by EA117 » Sat Jul 27, 2019 8:05 pm

The "Tie forms to guest sessions:" setting is the workaround, if there is an "form invalid" condition that can't be solved otherwise.

Not sure if it makes you feel any better about it, but I don't expect "you're doing it for just your banned users." Your banned users are the ones noticing this issue, but it's an issue that likely would affect new users trying to register, other users who unexpectedly end up in a logged-out state instead of successfully "Remember me", etc. Meaning, any case in which your board needs to present a form (even if not specifically a login form) to a not-logged-on user.

Given the small trade-off in reducing one of the hash components phpBB was using, versus the impact this could have on your logged out users, I would feel comfortable about using "Tie forms to guest sessions:" until we see additional root causes being identified and resolved. We ran from phpBB 3.0 to phpBB 3.2.5 without this form_key validation occurring in the logged-out user forms at all. So although we don't understand the "why" yet, living without session_id being part of the form_key for now doesn't feel like a "make or break" concession, to me anyway.

Lady_G
Registered User
Posts: 234
Joined: Fri Jun 08, 2012 12:38 pm
Location: US

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by Lady_G » Sun Jul 28, 2019 12:38 am

Thank you for the helpful explanation, as I can now understand the problem. I have no concerns of using the work-around as you suggest.

Your topic "Normal reasons" for FORM_INVALID which now also apply to login forms. - Development Discussion Board describes my situation posted in an earlier report:
Lady_G wrote:
Wed May 22, 2019 7:25 pm
...In the past week, I have also been receiving "The submitted form was invalid. Try submitting again." message when I login to my production board from the Board Index. My login time coincides with my board's peak traffic times (heavy server load).

I cannot reproduce this problem, but it is happening infrequently (a few times, not predictable). This could be another indication of the "yet-unidentified issue" due to a timing delay between session ID check and login attempt.
I can provide additional information that the problem only appears when I first login to my production server 1 day later.

- Login to my production server from the Board Index. "The submitted form was invalid. Try submitting again."
- I am redirected to the UCP login form https://(board URL)/forum/ucp.php?mode=login, the login is successful.
- Repeating the login / logout for the remainder of the day - no error messages.
- Login to my production server 1 day later from the Board Index repeats the error message.

I think this can be explained by a caching problem. Waiting 1 day (maybe less, I do not know) should have completely new cache files and therefore starts my login process as new entries in the phpBB cache directory.

I cannot reproduce this problem on my localhost test environment. I can repeat the banned user error message as localhost, but not as a valid (not banned) user.

User avatar
EA117
Registered User
Posts: 1069
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by EA117 » Sun Jul 28, 2019 4:10 am

Lady_G wrote:
Sun Jul 28, 2019 12:38 am
Your topic "Normal reasons" for FORM_INVALID which now also apply to login forms. - Development Discussion Board describes my situation posted in an earlier report: ...
Your question got me poking at this for some more time today, and even though I continue to believe -- same as you linked my quote on -- that there is still some more subtle and intermittent issue we have yet to identify, I did identify what I believe to be the root cause of P_I's observed and reported case involving "banned user message":

https://tracker.phpbb.com/browse/PHPBB3-16066?focusedCommentId=62407

Meaning in addition to whatever other issues still exist, there actually is also a "banned user"-specific issue which results in "form invalid." So this banned user-specific issue can be resolved and get its own fix, even while we continue looking for other less persistent causes of the same symptom.

User avatar
P_I
Registered User
Posts: 942
Joined: Tue Mar 01, 2011 8:35 pm
Location: Calgary
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by P_I » Sun Jul 28, 2019 2:42 pm

EA117 wrote:
Sun Jul 28, 2019 4:10 am
I did identify what I believe to be the root cause of P_I's observed and reported case involving "banned user message"
Thanks for all the effort to track this down. My background is software development and I know that intermittent problems are always the most difficult and frustrating to track down the root cause. Your efforts are much appreciated.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams

Lady_G
Registered User
Posts: 234
Joined: Fri Jun 08, 2012 12:38 pm
Location: US

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by Lady_G » Tue Jul 30, 2019 12:49 am

EA117 - I see that your first pull request has been committed to the 3.2.x branch. 8-)

I have incorporated the update from [ticket/16066] Fix FORM_INVALID always returned for banned user. Pull Request #5635 and confirm the fix on my localhost test environment.

Based on your clear explanations, I assume this is the appropriate work-around to address a single problem of a banned user - until phpBB 3.2.8 is released?

(Bug report [PHPBB3-16066] Banned or suspended user receives "The submitted
form was invalid. Try submitting again."
has been closed and assigned to phpBB 3.2.8-RC1.)

User avatar
EA117
Registered User
Posts: 1069
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by EA117 » Tue Jul 30, 2019 3:52 am

Thanks. And correct, adding the && !defined('IN_CHECK_BAN') to the line shown in https://github.com/phpbb/phpbb/pull/5635/files will prevent the banned user-specific source of "the form was invalid." Thankfully it has been tagged for 3.2.8; so unless that changes, we do expect to see this change included in the final release.

Whether you find you still need "Tie forms to guest sessions:" disabled may vary; if you're still having other non-banned user-related issues with this, you might need to keep that workaround enabled too. All we can say for sure is you wouldn't need that workaround for the banned user case any more, after making the fix in https://github.com/phpbb/phpbb/pull/5635/files.

Lady_G
Registered User
Posts: 234
Joined: Fri Jun 08, 2012 12:38 pm
Location: US

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by Lady_G » Wed Jul 31, 2019 1:58 am

I have successfully incorporated the fix on my production server. Thank you very much.

My concerns about disabling "Tie forms to guest sessions:" are related to your earlier post stating there were no public details on what led to the [SECURITY-228] - Require form token in login_box issue addressed in phpBB 3.2.6.

I respect the need to keep security details private. If "Tie forms to guest sessions:" was fixed for 3.2.6+, I consider it part of the total solution to address those security details and this setting should not be disabled. (If this settting will always be required, consider removing the setting in the Admin Control Panel.)

I will accept the occasional "The submitted form was invalid. Try submitting again." error message when logging in from the Board Index. Since the process falls-through to the UCP login forum/ucp.php?mode=login, there is no urgency to fix this problem. (I have received this error again...)

To help your investigation, my board is configured to use the memcache driver. In config.php:

Code: Select all

$acm_type = 'memcache';

User avatar
John connor
Registered User
Posts: 2306
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by John connor » Wed Jul 31, 2019 4:43 am

EA117 wrote:
Tue Jul 30, 2019 3:52 am
Thanks. And correct, adding the && !defined('IN_CHECK_BAN') to the line shown in https://github.com/phpbb/phpbb/pull/5635/files will prevent the banned user-specific source of "the form was invalid." Thankfully it has been tagged for 3.2.8; so unless that changes, we do expect to see this change included in the final release.

Whether you find you still need "Tie forms to guest sessions:" disabled may vary; if you're still having other non-banned user-related issues with this, you might need to keep that workaround enabled too. All we can say for sure is you wouldn't need that workaround for the banned user case any more, after making the fix in https://github.com/phpbb/phpbb/pull/5635/files.
With this fix do I need to use Tie forms to guest sessions?

User avatar
EA117
Registered User
Posts: 1069
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by EA117 » Wed Jul 31, 2019 5:44 am

John connor wrote:
Wed Jul 31, 2019 4:43 am
With this fix do I need to use Tie forms to guest sessions?
If the issue you were having up until now was only when attempting to login with a user who was banned, or from a banned IP address -- then no, after applying this fix, you would not need to leave "Tie forms to guest sessions" disabled. There was an issue specific to the "banned user login" case which would return "form invalid" even though everything had actually verified correctly. That issue is what's fixed with the https://github.com/phpbb/phpbb/pull/5635/files change.

But some people -- like Lady_G described, and in other support threads here -- are having this "form invalid" issue occasionally during login even when not attempting to login as a banned user. We still expect there is some other issue or conditions, yet to be identified, which is causing this issue to occur even for folks who have their cookie settings correct, and even though they weren't hitting the banned user issue. This banned user-specific fix will not prevent those other instances, and you could still end up seeing "form invalid" during login unless you disable "Tie forms to guest sessions".

Someone who was experiencing the "banned user" issue was hitting this form invalid result "100% of the time" whenever a banned user was involved. Now that this fix is available for that specific case, whether or not they want to keep using the "Tie forms to guest sessions" workaround depends on how frequently they were hitting the "form invalid" issue outside of the "banned user" case. And also, how risky or non-risky they feel about continuing to use the "Tie forms to guest sessions" workaround.

User avatar
John connor
Registered User
Posts: 2306
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by John connor » Wed Jul 31, 2019 8:15 am

Well, I don't know what the hell is going on here, but I don't have an includes folder in the phpBB folder. I'm using 3.2.7. :x

Yes, I have this issue. Just banned a test user and I get a form was invalid yada yada. Would like to fix it.


Edit-

Okay, what am I missing here? I don't even see that folder in the download for 3.2.7.
Last edited by John connor on Wed Jul 31, 2019 8:18 am, edited 1 time in total.

User avatar
david63
Registered User
Posts: 16703
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by david63 » Wed Jul 31, 2019 8:56 am

John connor wrote:
Wed Jul 31, 2019 8:15 am
I don't have an includes folder in the phpBB
First of all there is no phpBB folder in phpBB 3.2.7 (or any other version that I am aware of).

There is however a phpBB3 folder which is, in effect, the root folder and may or may not be present depending on how you have installed phpBB and that contains an includes folder - if it does not then your board would not work.

There is also a phpbb folder which contains several folders, non of which is includes

Bear in mind that phpBB and phpbb are NOT the same.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
warmweer
Registered User
Posts: 3012
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Belt ... well actually Belgium

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by warmweer » Wed Jul 31, 2019 8:58 am

John connor wrote:
Wed Jul 31, 2019 8:15 am
Well, I don't know what the hell is going on here, but I don't have an includes folder in the phpBB folder. I'm using 3.2.7. :x
...
Okay, what am I missing here? I don't even see that folder in the download for 3.2.7.
It's not supposed to be in the phpbb folder, but at the root level (alphabetically between /images and /install) and that's where it is and has been in every 3.2.x I have checked.
The year is 2192. The British Prime Minister visits Brussels to ask for an extension of the Brexit deadline. No one remembers where this tradition originated, but every year it attracts many tourists from all over the world.

User avatar
John connor
Registered User
Posts: 2306
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by John connor » Wed Jul 31, 2019 10:29 am

Yeah, looks like phpBB3/includes

User avatar
John connor
Registered User
Posts: 2306
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Banned or suspended user receives "The submitted form was invalid. Try submitting again."

Post by John connor » Wed Jul 31, 2019 10:52 am

And I can confirm the code works. Thanks!

Post Reply

Return to “[3.2.x] Support Forum”