Well, that *seems* like a very different process from what I'm seeing. I
have a form called "langResource/9" (to modify a record with id=9 from the
langResource table). The value that I see in the session is:
'_formkey[langResource/9]': ['79f4f99e-9205-460d-97b1-44038b475307',
'1c0d6498-0807-470c-a12a-b322b4497ebe',
'741f801b-3aed-41e1-8677-f60441d7d08f',
'1f02a0fe-ad43-4d7b-b5a3-8f243cfa61a2',
'a5217aeb-54c5-4431-8531-444a3306f09d',
'381170ee-4c94-4fad-b2bf-76234cc01df2',
'15949cfb-d7ce-41a5-b211-f023fedc747f',
'ab577662-311d-4b54-9706-0a63bedac2db',
'5861005d-5eb1-406b-826f-7e7995ed03e4']
(and of course there are many other keys similar to this). The hidden
fields in the HTML look like:
<div style="display:none">
<input name="id" type="hidden" value="9">
<input name="_formkey" type="hidden" value=
"734b92bb-6c05-4916-858c-fe11765d8aff" >
<input name="_formname" type="hidden" value="langResource/9" >
</div>
I don't see that number in the list above, or anywhere in the session.
After I press the submit button, the session looks like:
'_formkey[langResource/9]': ['79f4f99e-9205-460d-97b1-44038b475307',
'1c0d6498-0807-470c-a12a-b322b4497ebe',
'741f801b-3aed-41e1-8677-f60441d7d08f',
'1f02a0fe-ad43-4d7b-b5a3-8f243cfa61a2',
'a5217aeb-54c5-4431-8531-444a3306f09d',
'381170ee-4c94-4fad-b2bf-76234cc01df2',
'15949cfb-d7ce-41a5-b211-f023fedc747f',
'ab577662-311d-4b54-9706-0a63bedac2db',
'5861005d-5eb1-406b-826f-7e7995ed03e4',
'734b92bb-6c05-4916-858c-fe11765d8aff']
I.e, it has now been appended to the end of the list.
So if the key is somewhere in the session *before* the form is processed, I
sure would like to know where. I don't see it at all.
On Monday, April 21, 2014 2:50:33 PM UTC-5, Anthony wrote:
>
> Yes, when the form.accepts (or form.process) is called, web2py generates
> the formname and formkey, adds those hidden fields to the form, and adds
> the formkey to the session (with the formname as the key). When the form is
> submitted, it checks that the formkey associated with the formname in the
> session matches the forname and formkey submitted. If not, it generates a
> new formkey and replaces the version in both the hidden field of the form
> and the session (for use on the next submission). If the submission is
> successful, the formkey is removed from the session so the form cannot be
> submitted again. This mechanism also protects against CSRF attacks (in
> fact, that is its primary benefit, as double submission can and is
> prevented via client-side freezing of the submit button).
>
> Anthony
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
