I just sent out links to my form and a client got another clients data in their form

I just rolled out a form for my clients and one of the clients clicked the link to find it populated with the details of another clients submission. I'm not even sure how this is possible but how can i prevent it from ever happening again?

I checked the form in your website but I was not able to reproduce the issue described.

The form in the website was not auto filled with data.

Can you share to us also the link you rolled out?

It is possible the link you rolled out was the Edit link of the submission the reason it was filled with previous submission data.

User guide: How to Let Users Update Their Form Submissions at a Later Date

I think I may have sorted  it out, temporarily at least. The best I can figure out is that the save form for later feature was leaking in complete surveys into new links. For the time being  i’ve disabled that feature.  I don’t think that it was an edit link that I rolled out. I used the squarespace embed code on my site and rolled out that link.  

Thank you for taking the time updating us on the status and letting us know all is good at this time.

If the save form continue later you refer to was the Autofill feature, please understand that it is possible only to have an auto filled form if the users were using the same device and browser at that time.

Please don't hesitate to let us know if there are still any issue that arises from hereon in.

Regards

I'm not sure i would go so far as to say the issue is resolved. More mitigated rather than anything else. I'm not entirely sure why it's happening, but it seems to be happening if there is an incomplete form submission in the database. When I delete the incomplete submission the issue seems to go away. Also, for some reason it seems to be limited to when the user visits the form as it is embedded in our squarespace site. If I send them a jotform url instead it seems to work as expected. Any ideas where the problem could be coming from?

There's a chance that your user has autofill feature enabled to their browser. To disable it and clear it, you can share this guide: 

How-to-Disable-and-Clear-AutoFill-Info-in-your-Browser

Also, could you please explain further about the incomplete submission you're deleting to make the issue go away? I was not able to understand it properly. 

Just to confirm, are you using the Save Forms and Continue Later feature? For more information, please visit this link: https://www.jotform.com/help/97-How-to-Save-Forms-and-Continue-Later

If yes, please provide the main form and secondary form. 

We'll wait for your reply. Thank you.

It's possible that I have been unclear. Let me recap what happened:

1. I sent out a link to my clients that included 3 fields that have been prepopulated (student first and last. and number of sessions. The link is to a form that is embedded in my squarespace page.  

2. I hear back from one of my clients saying that the form she has received already has information in the fields that is for a different client. 

3. In checking, i see that the client got the correct url and in any case there is information prepopulated that I'm not encoding in the url such as parent name and phone number.

4. In a bit of a panic I started looking through every setting that remotely looks like it could have caused the problem. I turned off the "Save and continue" feature and deleted the incomplete submissions. When I did that, I was able to load a clean form.

As you can see, the client can't have had the data saved in their browser. Also they can't be getting the edit form link since it's just an embedded form. Somewhere along the chain though, there was data leakage. Any insights you might have would be welcome.

Could you share the link that you sent to your users?

I understood it was some other link with prepopulated data?

Since we cannot replicate any issue so far.

We'll wait for your response.

Thank you!

The link i sent out to my clients was https://www.anguslloyd.com/appointmentrequest?student%5bfirst%5d=john&student%5blast%5d=doe&session=2 

I'm also attaching a screen grab that one of my clients sent me (I've redacted her information since I think I've done enough damage to my client's privacy this week -_-)

Just to be clear about my expectations for this interaction: Right now, the issue doesn't seem to be happening. My concern is that it did and I don't understand how it could have. I need to be able to explain to my boss how I can be certain that it doesn't happen again. 

Thank you for that information.

From what I know, the form can only be pre-populated in the following instances.

1. A default value is set on the form fields through the Field Properties.

2. The form is prepopulated via URL parameters, just like the sample link that you provided us.

Prepopulating-fields-to-your-JotForm-via-URL-parameters

3. The form is prepopulated with data based on the session ID that is being accessed. How-to-Save-Forms-and-Continue-Later

4. The form is prepopulated with data from the local browser's storage. Form data are stored in the local browser storage when the form is filled but not submitted and the autofill feature of the form is enabled. How-to-Enable-Auto-Fill-on-Forms

In your case, I believe what happened is related to #3.

Based on the URL that you are providing your clients — https://www.anguslloyd.com/appointmentrequest?student%5bfirst%5d=john&student%5blast%5d=doe&session=2, you are allowing them to temporarily save the data (in our server) by using session in your URL as a parameter. With that (session) in the URL, the data entered on the form will be temporarily saved for 90 days when the "Next" button clicked (that serves as the trigger). The data that was saved can be accessed by using the session ID. Therefore, on the URL that you are providing your clients, the data are stored as session 2.

Every time the session with the session ID equivalent to 2 is accessed, it will load the data saved in that session.

Here's a sample form that is based on your form — https://form.jotform.com/80953723780968?session=2

Notice that it only needs the session parameter and session ID to load the data saved in that session. Please try to change a data in that form then click the Next button. When you reload the same URL with the session parameter still equals to 2, you will see the change(s) you just made.

The Incomplete Submissions wizard on your submissions page shows that there is a session saved. Session saved can be removed by deleting the session from that wizard or when the form with that session is submitted.

To fix the issue you are having, I suggest that you do not use the word "session" in your URL to represent a field in your form. You can do that by updating the field name/label of the field in your form. (Note: Do not delete/replace the field as it will delete all the submission data associated with it, just update the field label/name).

I hope this helps. If you have other questions or concerns, please do not hesitate to let us know.

I am so glad that we have an answer. I think that you've hit the nail on the head and I am going to change that variable name right now. Just to make sure I'm covered, if I have the " Continue Forms Later" setting to disabled, there should be no sessions for anyone else to load. Correct?

I just would like to clarify that the Continue Forms Later option of your form has nothing to do with the sessions being saved.

Continue Forms Later when enabled will save the data in the browser's storage. This is used to prevent the loss of data when respondents accidentally close or reload their browser. The data are stored in the local browser's storage for 24 hrs or until the form is successfully submitted within that period.

Sessions, on the other hand, are saved when "session" with equivalent session ID is present in the URL parameter of the form and the Next button is clicked.

You should not have the same issue after you change the field name/label of the session field in your form and not use the session parameter in your form URL.

Thanks for the clarification. That helps a lot. I've edited the javascript on my squarespace page to do a find and replace on 'session' so if anyone shows up with the url I sent out it will be updated to the new variable name. Again, thanks for all your help.

Edit: on the off chance that someone else is having the same issue and has come across this post, here is the code I changed to ensure it wouldn't happen with any other clients (highlights are my changes):

        var getUrl = window.location.href.substr(window.location.href.indexOf("?") + 1);

        var get = getUrl.replace("session","apt")