What exactly triggers the "Form authenticator is invalid" exception on PFG-forms?

Every once in a while the submi开发者_开发技巧t of a PloneFormGen-form (it happens on different forms, so nothing form specific) raises the "Form authenticator is invalid" exception.

I know this is the Cross-Site Request Forgery (CSRF) protection going off, but what is that exactly?

What triggers it and how can it be prevented (because, as far as i can tell all the triggering submits were valid, so no forgery going on :-)

Thanks!

To protect against from posts from other sources, many Plone forms, including PFG forms where you haven't turned it off, contain a cryptographic token as a hidden input. That token must be present in the submit, and the submit must be by HTTP POST.

When CSRF protection is turned on, a submit from any other source than the original form will trigger an error. You could also conceivably get the error if one user loaded the form, then in the same browser logged in as another user. Or, if the post was turned into a GET by a proxy or browser plug in.

You can turn off CSRF checking in PFG on a form-by-form basis. CSRF checking isn't really useful unless some valuable resource is being protected.