I was intrigued by this discussion: http://news.ycombinator.com/item?id=3778158 about CSRF.
Do I understand correctly that the FORM / SQLFORM CSRF protection only works when you pass a session (which is by default None)? If so, I think it is important to update the book to caution everyone to use session variable with forms - it is not stressed enough. Also, this might be serious enough to warrant a breaking change like the default views - e.g.: if the user is ok with current situation, they have to pass "session=DISABLE_CSRF_PROTECTION" to form/sqlform Otherwise, a form with "session=None" will always fail to accept. (unless you set something like: request.default_session=DISABLE_CSRF_PROTECTION)
