Note, the book now recommends using .validate() or .process(), and they default to using the session (and therefore protecting against CSRF). I believe CSRF protection is on by default in Crud, Auth, and SQLFORM.grid as well. I agree, though, that the book should discuss CSRF in the context of form submission and make it clear that excluding the session from .accepts() is a security risk.
Anthony On Friday, March 30, 2012 9:17:52 PM UTC-4, nick name wrote: > > I was intrigued by this discussion: > http://news.ycombinator.com/item?id=3778158 about CSRF. > > Do I understand correctly that the FORM / SQLFORM CSRF protection only > works when you pass a session (which is by default None)? > > If so, I think it is important to update the book to caution everyone to > use session variable with forms - it is not stressed enough. > > Also, this might be serious enough to warrant a breaking change like the > default views - e.g.: > > if the user is ok with current situation, they have to pass > "session=DISABLE_CSRF_PROTECTION" to form/sqlform > Otherwise, a form with "session=None" will always fail to accept. > > (unless you set something like: > request.default_session=DISABLE_CSRF_PROTECTION) > >
