Handling frequent 400/401/403 errors in multi-step forms

[romainpoirier]

Support Request

I am using Sprig (2.8.0) for multi-step forms that are only accessible to logged-in users.

The action of these forms goes to module controllers, starting with:

$this->requireSiteRequest()

I frequently receive the following types of 400/401/403 errors in the logs, which seem to be related to Sprig (refs to craft-sprig-core):

[web.ERROR] [yii\web\HttpException:400] Unable to verify your data submission. {"trace":[...],"memory":4002400,"exception":"[object] (yii\web\BadRequestHttpException(code: 0): Unable to verify your data submission. at /www/vendor/yiisoft/yii2/web/Controller.php:220)"}
[web.ERROR] [yii\web\HttpException:401] Your request was made with invalid credentials. {"trace":[...],"memory":3868488,"exception":"[object] (yii\web\UnauthorizedHttpException(code: 0): Your request was made with invalid credentials. at /www/vendor/yiisoft/yii2/filters/auth/AuthMethod.php:93)"}
[web.ERROR] [yii\web\HttpException:403] {"trace":[...],"memory":2580328,"exception":"[object] (yii\web\ForbiddenHttpException(code: 0):  at /www/vendor/craftcms/cms/src/web/Controller.php:205)"}

Assumption: Some users keep form pages open in their browsers. Sometimes, they submit a form page while their session has expired (after one hour, as specified by userSessionDuration in the Craft CMS documentation here).

However, according to the Sprig documentation (link):

If set to post, Sprig automatically sends a CSRF token in the request.

In theory, I should not need to configure anything else: the duration of the CSRF token sent by Sprig should match the ongoing user session.

Is it normal to regularly receive these 400 errors? How can I prevent this?

Plugin Version

2.8.0

[bencroker]

Do those errors only appear in the logs, or can you reproduce them? That 400 error, for example, is due to CSRF protection kicking in, so it may be caused by spam bots submitting the form. For the other errors, I’d need to see the full stack trace.

[bencroker]

Closing due to inactivity.

[romainpoirier]

Apologies for the delayed response, I was busy with the project launch.

The Sprig form is only accessible to logged-in Craft users, preventing spam bots from creating it. Despite this, some users report errors, but there’s no clear pattern.

I cannot reproduce these errors, which complicates debugging. However, the issues have been reported by several users.

Users are authenticated through a Controller using the following code:

$user = Craft::$app->users->getUserById($userId);
Craft::$app->user->login($user, 3600);

Below are recent examples of 400 and 403 errors. Since the site is in production, more detailed stack traces are unavailable.

Error 400:

• Message: Impossible to verify your data submission.
• Trace:

  #0 /srv/var/www/.../controller.php(171): ...Controller->beforeAction()
  #1 /srv/var/www/.../componentscontroller.php(39): ...Controller->beforeAction()
  #2 /srv/var/www/.../controller.php(176): ...componentscontroller->beforeAction()
  #3 /srv/var/www/.../module.php(552): ...Controller->runAction()
  #4 /srv/var/www/.../application.php(341): ...Module->runAction()
  #5 /srv/var/www/.../application.php(642): ...Application->runAction()
  #6 /srv/var/www/.../application.php(303): ...Application->_processActionRequest()
  #7 /srv/var/www/.../application.php(384): ...Application->handleRequest()
  #8 /srv/var/www/.../index.php(12): ...Application->run()
  #9 {main}

• Exception: [object] (yii\web\BadRequestHttpException(code: 0): Impossible to verify your data submission. at /srv/var/www/.../controller.php:220)

Error 403:

• Trace:

  #0 /srv/var/www/.../controller.php(175): ...Controller->_enforceAllowAnonymous()
  #1 /srv/var/www/.../controller.php(176): ...Controller->beforeAction()
  #2 /srv/var/www/.../module.php(552): ...Controller->runAction()
  #3 /srv/var/www/.../application.php(341): ...Module->runAction()
  #4 /srv/var/www/.../componentscontroller.php(113): ...Application->runAction()
  #5 /srv/var/www/.../componentscontroller.php(72): ...componentscontroller->runActionInternal()
  #6 [internal function]: ...componentscontroller->actionRender()
  #7 /srv/var/www/.../inlineaction.php(57): call_user_func_array()
  #8 /srv/var/www/.../controller.php(178): ...InlineAction->runWithParams()
  #9 /srv/var/www/.../module.php(552): ...Controller->runAction()
  #10 /srv/var/www/.../application.php(341): ...Module->runAction()
  #11 /srv/var/www/.../application.php(642): ...Application->runAction()
  #12 /srv/var/www/.../application.php(303): ...Application->_processActionRequest()
  #13 /srv/var/www/.../application.php(384): ...Application->handleRequest()
  #14 /srv/var/www/.../index.php(12): ...Application->run()
  #15 {main}

• Exception: [object] (yii\web\ForbiddenHttpException(code: 0): at /srv/var/www/.../controller.php:205)

[bencroker]

This does sound like a timeout issue. Have you considered increasing the value of userSessionDuration?

You can also gracefully handle those errors by listening for the htmx:responseError event in the template that contains the Sprig component.

<div id="error" class="hidden">
   An error occurred.
</div>

{% js %}
    htmx.on('htmx:responseError', function(event) {
        htmx.find('#error').toggleClass('hidden');
    });
{% endjs %}

[romainpoirier]

Currently, userSessionDuration is set to the default value of 1 hour.

I considered increasing userSessionDuration, but it doesn't seem useful or necessary. For security reasons, the session duration for this project should not be extended.

Additionally, we received support requests from users who were blocked during a subsequent step of the form. This suppose that these users did not wait long between starting and completing the submission after logging in.

I will consider using htmx:responseError to at least display an error message to these users. However, this may not resolve the issue on their next attempt.

Is there anything else we can investigate? Thank you.

[bencroker]

Unless you can replicate the error, I’m not sure what else to suggest.