Oops, I forgot the mechanism was altered not long ago. Now you can open up to 10 versions of a form and submit any of them (previously, opening a new version of a form, say in a separate browser tab, would invalidate any previously opened versions because the formkey was overwritten in the session). The process is still similar -- when you create and process the form, its formkey goes into a list in the session (which grows to a max of 10, on a first-in-first-out basis). When the form is submitted, it checks for the form's formkey in that list, and if present, the form is accepted and that formkey is deleted from the list (so it cannot be re-used).
I'm not sure you are inspecting the session at the right time. When you load a new form on a page, you should see the formkey in the hidden field of that form also appear appened to the end of the formkey list in the session. When you submit that form, you should no longer see its formkey in the session -- instead, assuming a fresh form has loaded into the page, it should have a new formkey, and that new formkey should now be in the session list. I would say to check the session, include response.toolbar() in the view, but unfortunately, it looks like there is a bug that prevents the toolbar from showing session keys that begin with an underscore (such as _formkey). Anthony On Monday, April 21, 2014 5:38:11 PM UTC-4, Sharon Correll wrote: > Well, that *seems* like a very different process from what I'm seeing. I > have a form called "langResource/9" (to modify a record with id=9 from the > langResource table). The value that I see in the session is: > > '_formkey[langResource/9]': ['79f4f99e-9205-460d-97b1-44038b475307', > '1c0d6498-0807-470c-a12a-b322b4497ebe', > '741f801b-3aed-41e1-8677-f60441d7d08f', > '1f02a0fe-ad43-4d7b-b5a3-8f243cfa61a2', > 'a5217aeb-54c5-4431-8531-444a3306f09d', > '381170ee-4c94-4fad-b2bf-76234cc01df2', > '15949cfb-d7ce-41a5-b211-f023fedc747f', > 'ab577662-311d-4b54-9706-0a63bedac2db', > '5861005d-5eb1-406b-826f-7e7995ed03e4'] > > (and of course there are many other keys similar to this). The hidden > fields in the HTML look like: > > <div style="display:none"> > <input name="id" type="hidden" value="9"> > <input name="_formkey" type="hidden" value= > "734b92bb-6c05-4916-858c-fe11765d8aff" > > <input name="_formname" type="hidden" value="langResource/9" > > </div> > > I don't see that number in the list above, or anywhere in the session. > After I press the submit button, the session looks like: > > '_formkey[langResource/9]': ['79f4f99e-9205-460d-97b1-44038b475307', > '1c0d6498-0807-470c-a12a-b322b4497ebe', > '741f801b-3aed-41e1-8677-f60441d7d08f', > '1f02a0fe-ad43-4d7b-b5a3-8f243cfa61a2', > 'a5217aeb-54c5-4431-8531-444a3306f09d', > '381170ee-4c94-4fad-b2bf-76234cc01df2', > '15949cfb-d7ce-41a5-b211-f023fedc747f', > 'ab577662-311d-4b54-9706-0a63bedac2db', > '5861005d-5eb1-406b-826f-7e7995ed03e4', > '734b92bb-6c05-4916-858c-fe11765d8aff'] > > I.e, it has now been appended to the end of the list. > > So if the key is somewhere in the session *before* the form is processed, > I sure would like to know where. I don't see it at all. > > On Monday, April 21, 2014 2:50:33 PM UTC-5, Anthony wrote: >> >> Yes, when the form.accepts (or form.process) is called, web2py generates >> the formname and formkey, adds those hidden fields to the form, and adds >> the formkey to the session (with the formname as the key). When the form is >> submitted, it checks that the formkey associated with the formname in the >> session matches the forname and formkey submitted. If not, it generates a >> new formkey and replaces the version in both the hidden field of the form >> and the session (for use on the next submission). If the submission is >> successful, the formkey is removed from the session so the form cannot be >> submitted again. This mechanism also protects against CSRF attacks (in >> fact, that is its primary benefit, as double submission can and is >> prevented via client-side freezing of the submit button). >> >> Anthony >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
