Secure Form Tag Helpers – For prevention of Cross-site request forgery (CSRF) attacks.

Generates form tags that include client-specific authorization tokens to be verified by the destined web app.

PYRAMID USERS: Use the csrf_token methods built into Pyramid’s Session object. This implementation is incompatible with Pyramid.

Authorization tokens are stored in the client’s session. The web app can then verify the request’s submitted authorization token with the value in the client’s session.

This ensures the request came from the originating page. See http://en.wikipedia.org/wiki/Cross-site_request_forgery for more information.

Pylons provides an authenticate_form decorator that does this verification on the behalf of controllers.

These helpers depend on Pylons’ session object. Most of them can be easily ported to another framework by changing the API calls.

The helpers are implemented in such a way that it should be easy to create your own helpers if you are using helpers for AJAX calls.

authentication_token() returns the current authentication token, creating one and storing it in the session if it doesn’t already exist.

auth_token_hidden_field() creates a hidden field (wrapped in an invisible div; I don’t know if this is necessary, but the old WebHelpers had it like this) containing the authentication token.

secure_form() is form() plus auth_token_hidden_field().


Return the current authentication token, creating one if one doesn’t already exist.

webhelpers.pylonslib.secure_form.secure_form(url, method='POST', multipart=False, **attrs)

Start a form tag that points the action to an url. This form tag will also include the hidden field containing the auth token.

The url options should be given either as a string, or as a url() function. The method for the form defaults to POST.


If set to True, the enctype is set to “multipart/form-data”.
The method to use when submitting the form, usually either “GET” or “POST”. If “PUT”, “DELETE”, or another verb is used, a hidden input with name _method is added to simulate the verb over POST.