Closed romainpoirier closed 2 months ago
Do those errors only appear in the logs, or can you reproduce them? That 400
error, for example, is due to CSRF protection kicking in, so it may be caused by spam bots submitting the form. For the other errors, I’d need to see the full stack trace.
Closing due to inactivity.
Apologies for the delayed response, I was busy with the project launch.
The Sprig form is only accessible to logged-in Craft users, preventing spam bots from creating it. Despite this, some users report errors, but there’s no clear pattern.
I cannot reproduce these errors, which complicates debugging. However, the issues have been reported by several users.
Users are authenticated through a Controller using the following code:
$user = Craft::$app->users->getUserById($userId);
Craft::$app->user->login($user, 3600);
Below are recent examples of 400 and 403 errors. Since the site is in production, more detailed stack traces are unavailable.
Error 400:
#0 /srv/var/www/.../controller.php(171): ...Controller->beforeAction()
#1 /srv/var/www/.../componentscontroller.php(39): ...Controller->beforeAction()
#2 /srv/var/www/.../controller.php(176): ...componentscontroller->beforeAction()
#3 /srv/var/www/.../module.php(552): ...Controller->runAction()
#4 /srv/var/www/.../application.php(341): ...Module->runAction()
#5 /srv/var/www/.../application.php(642): ...Application->runAction()
#6 /srv/var/www/.../application.php(303): ...Application->_processActionRequest()
#7 /srv/var/www/.../application.php(384): ...Application->handleRequest()
#8 /srv/var/www/.../index.php(12): ...Application->run()
#9 {main}
[object] (yii\web\BadRequestHttpException(code: 0): Impossible to verify your data submission. at /srv/var/www/.../controller.php:220)
Error 403:
#0 /srv/var/www/.../controller.php(175): ...Controller->_enforceAllowAnonymous()
#1 /srv/var/www/.../controller.php(176): ...Controller->beforeAction()
#2 /srv/var/www/.../module.php(552): ...Controller->runAction()
#3 /srv/var/www/.../application.php(341): ...Module->runAction()
#4 /srv/var/www/.../componentscontroller.php(113): ...Application->runAction()
#5 /srv/var/www/.../componentscontroller.php(72): ...componentscontroller->runActionInternal()
#6 [internal function]: ...componentscontroller->actionRender()
#7 /srv/var/www/.../inlineaction.php(57): call_user_func_array()
#8 /srv/var/www/.../controller.php(178): ...InlineAction->runWithParams()
#9 /srv/var/www/.../module.php(552): ...Controller->runAction()
#10 /srv/var/www/.../application.php(341): ...Module->runAction()
#11 /srv/var/www/.../application.php(642): ...Application->runAction()
#12 /srv/var/www/.../application.php(303): ...Application->_processActionRequest()
#13 /srv/var/www/.../application.php(384): ...Application->handleRequest()
#14 /srv/var/www/.../index.php(12): ...Application->run()
#15 {main}
[object] (yii\web\ForbiddenHttpException(code: 0): at /srv/var/www/.../controller.php:205)
This does sound like a timeout issue. Have you considered increasing the value of userSessionDuration
?
You can also gracefully handle those errors by listening for the htmx:responseError
event in the template that contains the Sprig component.
<div id="error" class="hidden">
An error occurred.
</div>
{% js %}
htmx.on('htmx:responseError', function(event) {
htmx.find('#error').toggleClass('hidden');
});
{% endjs %}
Currently, userSessionDuration
is set to the default value of 1 hour.
I considered increasing userSessionDuration
, but it doesn't seem useful or necessary. For security reasons, the session duration for this project should not be extended.
Additionally, we received support requests from users who were blocked during a subsequent step of the form. This suppose that these users did not wait long between starting and completing the submission after logging in.
I will consider using htmx:responseError
to at least display an error message to these users. However, this may not resolve the issue on their next attempt.
Is there anything else we can investigate? Thank you.
Unless you can replicate the error, I’m not sure what else to suggest.
Support Request
I am using Sprig (
2.8.0
) for multi-step forms that are only accessible to logged-in users.The action of these forms goes to module controllers, starting with:
I frequently receive the following types of
400/401/403
errors in the logs, which seem to be related to Sprig (refs tocraft-sprig-core
):Assumption: Some users keep form pages open in their browsers. Sometimes, they submit a form page while their session has expired (after one hour, as specified by
userSessionDuration
in the Craft CMS documentation here).However, according to the Sprig documentation (link):
In theory, I should not need to configure anything else: the duration of the CSRF token sent by Sprig should match the ongoing user session.
Is it normal to regularly receive these 400 errors? How can I prevent this?
Plugin Version
2.8.0