<br><br><div class="gmail_quote">On Sun, Mar 28, 2010 at 6:05 PM, Tomas Doran <span dir="ltr"><<a href="mailto:bobtfish@bobtfish.net">bobtfish@bobtfish.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br>
On 29 Mar 2010, at 01:06, Bill Moseley wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I do this -- every POST must include token, and the token can only be used once. That means the the form must be fetched before bing posted (to generate the token).<br>
</blockquote>
<br></div>
Have anything generic you'd care to share? :)</blockquote><div><br></div><div>Nothing generic -- and it's not rocket science, either. Or very glamorous. I simply have a template macro for creating my <form> tag which also includes the hidden field with the token id.</div>
<div><br></div><div>Then part of form validation processed used for every post I check that the token was provided and is valid. The token is either in the database or in memcached. (I have a form_posted() method that does this check, along check for the correct method (PUT or POST) .)</div>
<div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
The issue is that if you're generating a form in javascript, and submitting it in javascript, then something finding forms in the page output (and adding a token automatically), which was what I initially suggested - would fail to find the form, and ergo you'd have an issue :)<br>
<br>
(i.e. it couldn't 'just work automatically' in that case without the application collaborating in some manor).</blockquote><div><br></div><div>I think I get it.</div><div><br></div><div>Thanks,</div><div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div><div></div><div class="h5"><br></div></div></blockquote></div>-- <br>Bill Moseley<br><a href="mailto:moseley@hank.org">moseley@hank.org</a><br>