From 09ba525f2e4c768aebf8a5a08a9c5abeb7fb4d65 Mon Sep 17 00:00:00 2001
From: Massimo <massimo.dipierro@gmail.com>
Date: Thu, 26 Sep 2013 11:26:08 -0500
Subject: [PATCH] possible fix to issue 1688, support for multiple forms with
 same formname in different browser pages

---
 VERSION       |  2 +-
 gluon/html.py | 12 +++++++++---
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/VERSION b/VERSION
index 0a38878c..a1ff0565 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-Version 2.6.4-stable+timestamp.2013.09.26.07.55.44
+Version 2.6.4-stable+timestamp.2013.09.26.11.24.52
diff --git a/gluon/html.py b/gluon/html.py
index 94592055..78349ec8 100644
--- a/gluon/html.py
+++ b/gluon/html.py
@@ -2017,10 +2017,14 @@ class FORM(DIV):
         changed = False
         request_vars = self.request_vars
         if session is not None:
-            formkey = session.get('_formkey[%s]' % formname, None)
+            formkey = request_vars._formkey
+            keyname = '_formkey[%s]' % formname
+            formkeys = session.get(keyname, [])
             # check if user tampering with form and void CSRF
-            if not formkey or formkey != request_vars._formkey:
+            if not formkeys or formkey not in formkeys:
                 status = False
+            else:
+                session[keyname].remove(formkey)
         if formname != request_vars._formname:
             status = False
         if status and session:
@@ -2056,7 +2060,9 @@ class FORM(DIV):
                 formkey = self.record_hash
             else:
                 formkey = web2py_uuid()
-            self.formkey = session['_formkey[%s]' % formname] = formkey
+            self.formkey = formkey
+            keyname = '_formkey[%s]' % formname
+            session[keyname] = session.get(keyname,[])[-9:] + [formkey]
         if status and not keepvalues:
             self._traverse(False, hideerror)
         self.accepted = status