Yes, when the form.accepts (or form.process) is called, web2py generates the formname and formkey, adds those hidden fields to the form, and adds the formkey to the session (with the formname as the key). When the form is submitted, it checks that the formkey associated with the formname in the session matches the forname and formkey submitted. If not, it generates a new formkey and replaces the version in both the hidden field of the form and the session (for use on the next submission). If the submission is successful, the formkey is removed from the session so the form cannot be submitted again. This mechanism also protects against CSRF attacks (in fact, that is its primary benefit, as double submission can and is prevented via client-side freezing of the submit button).
Anthony On Monday, April 21, 2014 3:07:47 PM UTC-4, Sharon Correll wrote: > I'm a web2py newbie, so please excuse me if I'm overlooking something > obvious. > > I'm trying to build my own custom form for creating and editing records in > a database. I'm trying to garner clues from the way SQLFORM does it. > > The documentation says: > > The hidden field called "_formkey" is a one-time token that web2py uses to >> prevent double submission of forms. The value of this key is generated when >> the form is serialized and stored in the session. When the form is >> submitted this value must match, or elseaccepts returns False without >> errors as if the form was not submitted at all. > > > I've dug into the session and found places where these keys appear to be > stored for the forms. My hypothesis is that after the form is processed, > the associated _formkey is placed in the session's list to prevent the form > being processed again. > > It seems then that I should be able to generate these myself. But when I > put my own key in the form, it never seems to be added to the session. > > Is it possible there is also some magic that happens when the form is > generated...? > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
