"Your browser session has expired and we are unable to complete your form submission" on all D9.2 anonymous sessions
Overview
This is an expensive bug, so I'm reporting it even though I don't have complete information.
On all D9.2 sites, anonymous users whose first visit to a CiviCRM page is a contribution or event registration page, will receive the error "Your browser session has expired and we are unable to complete your form submission" on submission. If they resubmit the page it will go through.
Steps to Replicate
- Install a fresh D8 buildkit site.
- Upgrade to D9.2.0 or higher.
- Open an incognito window and paste in the URL to an event/contribution page (easiest to test if it's a free event with a confirmation page).
- Submit the page. See the error.
Analysis
I'm still tracking this down and I don't really know the Civi session manager well - but on initial page load, CRM_Core_Key::sessionID()
returns an empty string. On submitting the form, it finds a session ID correctly, so in CRM_Core_Key::validate()
the expected key doesn't match the actual key.
While debugging, it's good to note that you can composer update
to switch between D9.1.3 and D9.2.8 to switch between unbugged and bugged behavior.
It looks like this is the cause: https://www.drupal.org/node/3006306