To clarify... crud.create and crud.update have XSRF protection.
SQLFORM with accepts(request,session) has it too. SQLFORM with accepts(request) and no session passed has no XSRF. This is intentional to allow passing forms, for example, from other apps. On Jul 15, 9:53 am, Carl Roach <[email protected]> wrote: > that's excellent news (and thanks for those links). > > if I'm defining the HTML of a form in a file in my views/ directory > how do I leverage this gatekeeper? > > On 15 July 2011 15:49, Anthony <[email protected]> wrote: > > > > > > > > > web2py already uses the second method mentioned, as long as you call > > form.accepts(request, session) in your form action (you have to pass session > > to form.accepts because it stores the formkey in the session). Note, this > > also protects against double form submission (the formkey is only good for > > one submission). > > > Anthony > > On Friday, July 15, 2011 10:38:57 AM UTC-4, Carl wrote: > > >> Any views/insight for adding (or not adding) one of this approaches to > >> web2py for its FORMS ? > > >>http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-att...
