By default, forms include a hidden _formkey field, with the formkey also
stored in the session. Upon submission, if the submitted formkey does not
match one in the session, the submission is rejected -- this prevents CSRF
attacks as well as double submission. If you set session=None, you disable
Note, to simply prevent a double submission via a page reload, after the
initial submission, you can do a redirect to the same page (in that case, a
double submission will only happen if the user hits the back button, but
not upon a reload). If you want to prevent any double submission, you'll
Thanks Anthony for reply! I used session=None because SQLFORM was not
working on disabling browser cookies.
Why can't you use cookies?
Currently I am using session and cookies, but I am worried about the users
who disable/block their browser cookies (don't know % of such users).
I disabled m
On Friday, December 30, 2016 at 10:50:12 AM UTC-5, Gaurav Vichare wrote:
>
> Thanks Anthony for reply! I used session=None because SQLFORM was not
> working on disabling browser cookies.
>
> Why can't you use cookies?
>
> Currently I am using session and cookies, but I am worried about the users
Thanks Anthony, this is very helpful.
In my case, to ignore users who disable cookies and only show message to
enable cookies is best solution. Prevention to CSRF attack and Double
submission is more important in my case.
Thanks!
On Friday, December 30, 2016 at 10:11:18 PM UTC+5:30, Anthony w
5 matches
Mail list logo
