Could we just include something like a signed salt+timestamp +REMOTE_ADDR in a hidden field? It's not exactly bulletproof because of the possibility of a same-IP-CSRF (affecting people behind proxies), but it's dead simple and doesn't require a lot of code change: Form -> SafeForm + request as the first parameter to __init__. Heck, I'd even trust sed to do it for me ;).
Alternatively, since the only thing we need is to make sure that we're dealing with the same user across multiple requests, we could also provide some kind of a middleware that sets a sid-like cookie and include that instead of the REMOTE_ADDR. The obvious downside would be that you'd need to include it in settings.py. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
