On Wed, Mar 9, 2011 at 11:24 AM, Stephen Lacy <slacy+perso...@slacy.com> wrote: > In my form handling view, I'm using code that looks like this: > > if not request.session.csrf_valid(request.POST['csrft']): > return HTTPInternalServerError()
This is popular but I'd use HTTPBadRequest (400). It's a client error if the token is incorrect, not a server error. Otherwise it gives the impression that a bug made the server crash, and the server logs will say that too so you can't count how many hack attempts vs genuine errors you got. -- Mike Orr <sluggos...@gmail.com> -- You received this message because you are subscribed to the Google Groups "pylons-devel" group. To post to this group, send email to pylons-devel@googlegroups.com. To unsubscribe from this group, send email to pylons-devel+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-devel?hl=en.
