Security component auth blackhole problem

I have a number of forms, some of them are fine but two are causing an “auth” blackhole. I’m using the 2.7.x library, it might be a slightly different library, I do not have access to the server that it is on at the moment.

In the problematic forms I have taken out the JS so that the form does not get manipulated but that does not solve the problem.

I have an array of unlockedFields and I’m 99% sure that these are all of the fields that the JS changes. This is set in beforeFilter of each controller and I am statically calling the parent beforeFilter in there.

The security component is the first in the list of components in the AppController. I have the following settings:
‘csrfUseOnce’ => false, ‘csrfExpires’ => '+1 hour’
and a callback to log the reason for the blackhole which then throws the BadRequestException.

The only thing that I can think of which I haven’t looked at yet which could manipulate the form is i18n but the BadRequestException is not just thrown with a language change and it is only thrown in two of the forms.

All of the forms are created and ended in the same way i.e.
echo $this->Form->create(‘Health’, array(‘class’ => ‘form-vertical’, ‘novalidate’ => true));
echo $this->Form->end();

All form elements are created with $this->Form excepting that I am manually writing the labels for the Form->checkbox in one of the failing forms, the other form submission could be failing for a different reason. Would this cause a failure?

Debugging SecurityComponent in 2.x can be hard. I don’t know how many field are in the forms but to me there are 2 things to do. Check the actual request that is made when you submit the form, you can do that by putting debug($this->request->data) at the beginning of your action. If that doesn’t show the problem than i would try commenting fields until SecurityComponent doesn’t blackhole the request anymore. This way you can tell which field is blackholing the request.

Thanks Joris the form was large but I divided it into areas which made it quicker to locate the offending form elements.

I found that Security component does not handle inputs of type
’multiple’ => ‘checkbox’

they result in an auth blackhole