>
> What is the recommended solution when this seems to happen randomly to
> some pages? Sounds like removing the session from the form opens up
> vulnerabilities.
>
It shouldn't happen "randomly". It should only happen when you open the
same page (or any page with a form that has the same formname) in the same
browser, and then go back to the original page and try to submit the
original form. We've talked about allowing multiple versions of the
_formkey for the same form to avoid this problem, but that hasn't been
implemented yet. Here's a possible way to achieve that (not tested):
def myform():
if '_formname' in request.post_vars:
formname = request.post_vars._formname
else:
max_forms = 10
if session.form_count and session.form_count < max_forms:
session.form_count += 1
else:
session.form_count = 1
formname = 'myform_%s' % session.form_count
form = SQLFORM(db.mytable).process(formname=formname)
return dict(form=form)
That example will allow up to 10 distinct instances of the same form, each
with a unique _formname and matching _formkey. After 10, it starts
recycling formnames (and therefore overwriting old _formkeys).
Anthony
