See http://web2py.com/book/default/chapter/01?search=CSRF and http://web2py.com/book/default/chapter/07#Hidden-fields.
On Friday, July 15, 2011 10:49:08 AM UTC-4, Anthony wrote: > web2py already uses the second method mentioned, as long as you call > form.accepts(request, > session) in your form action (you have to pass session to form.accepts > because it stores the formkey in the session). Note, this also protects > against double form submission (the formkey is only good for one > submission). > > Anthony > > On Friday, July 15, 2011 10:38:57 AM UTC-4, Carl wrote: > >> Any views/insight for adding (or not adding) one of this approaches to >> web2py for its FORMS ? >> >> http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attacks.html > >
