[trendoman]

@KK,

There is a reporting form, which has some inputs, featuring a list of projects and a list of users. Sometimes it is necessary to generate report, covering all users and all projects (for accounting & etc). Submitting such a form I have found something you might be interested in.

If total number of submitted objects (id's of pages, for example) significantly exceeds max_input_vars limit in php.ini (usually 1000), then k_error is not triggered (as well as k_success, obviously). No messages after the form is submitted, page reloads as if nothing happened.

If total number of such POST elements is about 1000, then Couch fires a notice 'Security tokens do not tally for executing this action. Please try again.' and doesn't load the page.

I am sure, such kind of behavior makes it hard for debugging. (A silent '1000' limit in cms:pages and other functions is also arguable approach. )

Increasing max_input_vars certainly helps.

So, it might be nicer to do some checks on that and if the number is about 1000 then some notice could be fired or something?

[KK]

Thanks for the heads-up.

'max_input_vars' is a relatively new addition to PHP (debuting with 5.3.9).
If the number of values posted by a form exceed this number, PHP runtime will throw an error and die - this will happen before Couch would have any chance to figure out how many elements were posted. Also this 'max_input_vars' limit can only be set in php.ini (i.e. cannot be done by Couch at run-time).

So, as far as I can see, there is little we can do except perhaps document this caveat for very large forms. Let me know if you think otherwise.

That said, I am sure you do realize that a form with 1000 elements is indeed *huge*, right?
There will likely only be a few users of Couch who would work with forms of that magnitude - and, I am sure, those would be the kind who can fend for themselves if things go awry.

The 1000 pages limit in <cms:pages> that you mentioned is not an absolute limit - you can always override it by explicitly defining a value for the 'limit' parameter.

The '1000' figure appears to be a sane one to prevent unsuspecting users from getting their script into an endless loop (seemingly) if they forget to set the 'limit' parameter.

Once again, users deliberately trying to display 1000 pages in a single go will be pretty few.
The defaults that Couch chooses has to cater to the majority.

[trendoman]

Yeah, I was probably wrong about 'silent' page limit in cms:pages, because you have set k_paginate_limit: 1000 to reflect that. I confess, never paid attention to it and never saw it, while it was there

About message, that Couch gives out ("..do not tally..") - it of course doesn't reflect what happened, so this must be addressed, since this is already a part of the system. If some rarely accessed (and probably unknown) aspect doesn't behave, does this mean that it can be ignored? Hardly

[KK]

If some rarely accessed (and probably unknown) aspect doesn't behave, does this mean that it can be ignored? Hardly

I agree.

Can you elicit the problem on a consistent basis? I mean, do you have a form that has the 1000+ elements and it throws this error every time it is submitted?

Is so, please give me access to the setup and I'll try to see if I can spot what is going wrong.

Honestly though, I have a feeling that the large number of submitted values is causing PHP to truncate the posted data (before it reaches Couch) thus causing the security nonce to be lost (thus causing the error).

In which case, even if we can single out the reason, the solution would lie external to Couch (i.e. in php.ini).

[trendoman]

Interesting idea about cut-off values of hidden nonce input. Yes, the problem repeats itself on a constant basis and with some effort I can make it reappear again. It was like I had approached the limit gradually, so it was fine with 994 and gone wild 995 values. in my case I had 4 inputs, 3 with one value each and 4th had exactly 995 values. What it would take for Couch to send nonce inputs first? Place them right after opening <form>?

[KK]

What it would take for Couch to send nonce inputs first? Place them right after opening <form>?

Shouldn't matter where in the form you keep the nonce (so long as it is present).
Please go ahead and try placing it at the top of the form and see if that helps. Let us know.