in gluon/html.py in accepts() formkey = self.session.get('_formkey[%s]' % self.formname, None) # check if user tampering with form and void CSRF if formkey != self.request_vars._formkey: status = False
Under dev_appserver.py then status is set to False. Under Web2py then status remains True because the "if" check fails. So, dev_appserver self.session.get() is failing to get the formkey. Anyone have a clue to why?