web2py already uses the second method mentioned, as long as you call form.accepts(request, session) in your form action (you have to pass session to form.accepts because it stores the formkey in the session). Note, this also protects against double form submission (the formkey is only good for one submission). Anthony
On Friday, July 15, 2011 10:38:57 AM UTC-4, Carl wrote: > Any views/insight for adding (or not adding) one of this approaches to > web2py for its FORMS ? > > http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attacks.html
