Skip Navigation

[Resolved] CRED Redirects

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.


This topic contains 35 replies, has 4 voices.

Last updated by Beda 1 year, 7 months ago.

Assigned support staff: Beda.


I have personally tried Code C locally yesterday, and I can see the nonce added, please see my previous reply.
Also, fatal errors in code B are certain, with the missing apostrophe, and this is crucial when we debug or make examples of code, to ensure it works.
How else could we otherwise state, this code works (while in fact, it breaks) and other code breaks (but in my tests it works)?

This is the reason we need to be sure, the code actually does what it is supposed to do from a practical point of view.

We can see the nonce added in the URL I posted in my previous reply, and there is no reason for this not to work online, unless, there are conflicts, or the code is faulty.
Whether your nonce verification fails or not is as said a concern of custom code
The URL to which Forms redirects, with that code, will hold the nonce in the URL, there is no other way for it to happen, unless, the code is faulty or conflicts are there.

The only I can imagine is that the urlencoded URL as shown previously causes issues in your custom code.

But that is not of concern here, please let us focus on the actual issue that supposedly is in Forms:
When you use code C and use the form, what do you see in the URL of the redirect?
Do you see the same as I saw here?
As we can see, the nonce is added.
If you do not see this, then the code is faulty on your site, or, there is a 3rd party conflict. I would need to know what exactly you see in the URL, after redirect?
Also, can I, in this case, see it online?
I'll need the Form, the page where to submit, access to the code, and permission to change it (please perform a backup before this)



When hovering on a regular link, the full URL is visible bottom-left of monitor but no URL appears when hovering on a CRED form submit button. Where are you seeing the URL (and therefore that the parameter & nonce has been applied)?


In my previous replies, I elaborate extensively where the URL will appear: In the Browser URL field when submitting the form. It is a redirect and it redirects successfully to that URL on form Submit

Of course, it's not visible in the hover of the button, as the redirect custom code is hooked to the success redirect, it is not yet generated, we did not even submit the form yet.
Hence there can be no URL to point to when hovering on the button - and it is also not any requirement of validation to have a button hover URL matching something else.

The statement was that the nonce breaks the forms redirect.
Please explain to me, where you see a problem with the redirected URL.

It works for me, when I use your Code C, and submit a form, the URL will tell:
nonce, id, and Forms internal referrer

That's exactly what we pass in the custom function (and the native Forms referrer parameter)

We can't help with Custom Code that is outside the terms of any Forms API. So if you refer to the problem of how you'll validate any data from a URL parameter, this is not within Toolste's Support.
That relates to the custom code that lives on the page where you redirect Forms to.

Imagine, you have a Garage at home and you go to a Car Dealer to buy a Car.
Your expectation is that the garage somehow validates the Car so only your car can fit in the garage

The Garage is the page where the Form is redirected to, which in this case is our car

It's not the car's responsibility to ensure only it can fit in the garage.
You can potentially fit ANY car in there. It's the Garage's responsibility to validate who enters and exits. In other words, the Garage'^s owner. That's the Webmaster in the case of Pages and Forms.

The toolset cannot design validation for particular requirements on a page it is accidentally redirected to.
You can change the redirect, add all sorts of URL attributes, but that's like you stick an ID on your car so it passes he Garage's security measures.
It's not the car providing that feature or the car manufacturer.

In general, I miss the exact steps you take to have what issue. I know only that you try to pass a nonce to a redirect and that works just fine in any form we apply it to.
Can you example to me a user case, an expected result and what you get instead?

I apologise, if it is clear to you what the requirements are, as far I understand the goal, Forms works fine with the parts it can work

Meaning, code C produces a fine redirect with nonce appended as url argument, and I do not know what the issue is with that.



and in my previous replies I've explained that my custom page template merely executes code and redirects the user to the final destination so how you expect me to be able to see the redirect URL in that scenario I really don't know.

I'm sorry you're finding this frustrating - you're not the only one - and I feel you're having a go at me. You keep banging on about custom code but I haven't once asked you to comment on the code in my custom page template; I've only ever asked about the cred redirect hook.

Now that I understand what you mean regarding the redirect URL, I've carried out some more testing and it appears the "&nonce_token" is translating to "&amp%3Bnonce_token" so no wonder it doesn't verify successfully. I've now re-worked the line in my code that nonces the URL and it is now verifying successfully.

Thank you for your help. I hope our next communication is a more positive one.


ticket closed


Yes, this is what I have been explaining here,

How would we know your code in the redirect page (success redirect) is once more immediately redirecting, without you having a chance to see the URL?
A Form redirect stops there where it redirects to - the URL you set in the settings, or by the API shared.

Thank you for your patience!