> > The easiest way is to implement this is to replace self.formkey and > self.session.formkey in gluon/html.py so that it store not one key but the > last 10 keys. >
The number should be configurable. > I am still unsure about this. We can make it work but allowing the past 10 > open forms to still be submitted can be considered a vulnerability. > How would that be exploited? Anthony
