Well, web2py protects against CSRF by inserting a hidden _formkey value in each form and storing the matching _formkey in the session. This is done when the form is created, so it happens whenever you load a page with a form on it. You might consider using a robots.txt<http://www.robotstxt.org/>file to tell crawlers not to go to the /default/user URL.
Anthony On Monday, May 6, 2013 9:32:00 AM UTC-4, Andriy wrote: > > Yes, *def user()* in *default.py* has form for login. If I put: > > if not auth.user: > session.forget(response) > > in this function, then session is not created, but logging in no longer > works. Can something else be done to turn off session creation by this > function and not break login? > > Apparently bots are "clicking" on Login button frequently and this creates > huge amount of sessions. > > -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
