The easiest way is to implement this is to replace self.formkey and self.session.formkey in gluon/html.py so that it store not one key but the last 10 keys. Mover, for security, when a key is used it must be discarded.
I am still unsure about this. We can make it work but allowing the past 10 open forms to still be submitted can be considered a vulnerability. Any opinion? Massimo On Thursday, 28 June 2012 16:08:18 UTC-5, Anthony wrote: > > What is the recommended solution when this seems to happen randomly to >> some pages? Sounds like removing the session from the form opens up >> vulnerabilities. >> > > It shouldn't happen "randomly". It should only happen when you open the > same page (or any page with a form that has the same formname) in the same > browser, and then go back to the original page and try to submit the > original form. We've talked about allowing multiple versions of the > _formkey for the same form to avoid this problem, but that hasn't been > implemented yet. Here's a possible way to achieve that (not tested): > > def myform(): > if '_formname' in request.post_vars: > formname = request.post_vars._formname > else: > max_forms = 10 > if session.form_count and session.form_count < max_forms: > session.form_count += 1 > else: > session.form_count = 1 > formname = 'myform_%s' % session.form_count > form = SQLFORM(db.mytable).process(formname=formname) > return dict(form=form) > > That example will allow up to 10 distinct instances of the same form, each > with a unique _formname and matching _formkey. After 10, it starts > recycling formnames (and therefore overwriting old _formkeys). > > Anthony >
