> > Although one does wonder if Web2Py shouldn't default to the > Post/Redirect/Get design pattern... > http://en.wikipedia.org/wiki/Post/Redirect/Get >
As long as you pass the session to form.process() (which is done by default), the form will include a single use _formkey, which prevents both double form submission and CSRF attacks. As for redirect, that is easily doable and a common pattern in web2py, but up to the developer -- though even without a redirect, the default behavior would be to load a new empty form, so no double form submission problem. Redirecting to a get with a query string is only necessary if the response depends on the original post content, and the details would likely be app specific, so probably best left up to the developer. What would a default PRG pattern look like -- where would it redirect, and what would the get request return? Anthony
