From 28fcfcca344d83556b02fe5df8d3a77ae042903f Mon Sep 17 00:00:00 2001
From: Viktor Miller <viktor.miller@vihais.com>
Date: Fri, 6 Feb 2026 22:55:30 +0900
Subject: [PATCH] fix(08-01): replace session_id with unique form_id to prevent
 error cross-contamination

- Remove all session_id() calls (unreliable on WordPress hosts)
- Generate unique form_id with uniqid() in form renderer
- Pass form_id via hidden field and GET parameter through redirect
- Use form_id for per-submission transient keys
- Fix validation error format to match expected array structure with 'messages' key
- Both captcha and validation errors now use consistent format

Fixes production-blocking bug where multiple users shared 'umzugsliste_errors_default' transient key.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 includes/class-form-handler.php  | 20 +++++++++++++++-----
 includes/class-form-renderer.php | 16 ++++++++++------
 2 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/includes/class-form-handler.php b/includes/class-form-handler.php
index 365fe5c..893e980 100644
--- a/includes/class-form-handler.php
+++ b/includes/class-form-handler.php
@@ -60,6 +60,12 @@ class Umzugsliste_Form_Handler {
 			wp_die( 'Security verification failed. Please try again.' );
 		}
 
+		// Extract form_id from POST
+		$form_id = isset( $_POST['umzugsliste_form_id'] ) ? sanitize_text_field( $_POST['umzugsliste_form_id'] ) : '';
+		if ( empty( $form_id ) ) {
+			$form_id = 'umzug_' . uniqid( '', true );
+		}
+
 		// Verify captcha
 		$captcha = Umzugsliste_Captcha::get_instance();
 		if ( $captcha->is_enabled() ) {
@@ -69,8 +75,8 @@ class Umzugsliste_Form_Handler {
 					'messages' => array( 'Captcha-Verifizierung fehlgeschlagen. Bitte versuchen Sie es erneut.' ),
 					'fields'   => array(),
 				);
-				set_transient( 'umzugsliste_errors_' . session_id(), $captcha_error, 300 );
-				wp_safe_redirect( wp_get_referer() );
+				set_transient( 'umzugsliste_errors_' . $form_id, $captcha_error, 300 );
+				wp_safe_redirect( add_query_arg( 'form_id', $form_id, wp_get_referer() ) );
 				exit;
 			}
 		}
@@ -78,10 +84,14 @@ class Umzugsliste_Form_Handler {
 		// Validate submission
 		$validation_errors = $this->validate_submission( $_POST );
 		if ( ! empty( $validation_errors ) ) {
-			// Store errors in transient for display
-			set_transient( 'umzugsliste_errors_' . session_id(), $validation_errors, 300 );
+			// Store errors in transient for display with proper format
+			$formatted_errors = array(
+				'messages' => $validation_errors,
+				'fields'   => array(),
+			);
+			set_transient( 'umzugsliste_errors_' . $form_id, $formatted_errors, 300 );
 			// Redirect back to form
-			wp_safe_redirect( wp_get_referer() );
+			wp_safe_redirect( add_query_arg( 'form_id', $form_id, wp_get_referer() ) );
 			exit;
 		}
 
diff --git a/includes/class-form-renderer.php b/includes/class-form-renderer.php
index 3ad6354..757db22 100644
--- a/includes/class-form-renderer.php
+++ b/includes/class-form-renderer.php
@@ -45,20 +45,21 @@ class Umzugsliste_Form_Renderer {
 	 * Render validation errors if any exist
 	 */
 	private static function render_validation_errors() {
-		// Check for validation errors in transient
-		$session_id = session_id();
-		if ( empty( $session_id ) ) {
-			$session_id = 'default';
+		// Check for validation errors in transient using form_id from GET parameter
+		$form_id = isset( $_GET['form_id'] ) ? sanitize_text_field( $_GET['form_id'] ) : '';
+
+		if ( empty( $form_id ) ) {
+			return;
 		}
 
-		$errors = get_transient( 'umzugsliste_errors_' . $session_id );
+		$errors = get_transient( 'umzugsliste_errors_' . $form_id );
 
 		if ( ! $errors || empty( $errors['messages'] ) ) {
 			return;
 		}
 
 		// Delete transient after displaying
-		delete_transient( 'umzugsliste_errors_' . $session_id );
+		delete_transient( 'umzugsliste_errors_' . $form_id );
 		?>
 		<div class="validation-summary">
 			<h3>Bitte korrigieren Sie folgende Fehler:</h3>
@@ -349,6 +350,8 @@ class Umzugsliste_Form_Renderer {
 	 * Render submit section
 	 */
 	private static function render_submit_section() {
+		// Generate unique form ID
+		$form_id = 'umzug_' . uniqid( '', true );
 		?>
 		<div class="row">
 			<div class="large-12 columns">
@@ -362,6 +365,7 @@ class Umzugsliste_Form_Renderer {
 				?>
 				<?php wp_nonce_field( 'umzugsliste_submit', 'umzugsliste_nonce' ); ?>
 				<input type="hidden" name="umzugsliste_submit" value="1">
+				<input type="hidden" name="umzugsliste_form_id" value="<?php echo esc_attr( $form_id ); ?>">
 				<button type="submit" class="button">Anfrage absenden</button>
 			</div>
 		</div>