diff --git a/gluon/html.py b/gluon/html.py
index b4d597fd..49890fa6 100644
--- a/gluon/html.py
+++ b/gluon/html.py
@@ -190,7 +190,8 @@ def URL(a=None,
         port=None,
         encode_embedded_slash=False,
         url_encode=True,
-        language=None
+        language=None,
+        hash_extension=True
         ):
     """
     generates a url '/a/c/f' corresponding to application a, controller c
@@ -339,7 +340,8 @@ def URL(a=None,
         if '.' in function:
             function, extension = function.rsplit('.', 1)
 
-    function2 = '%s.%s' % (function, extension or 'html')
+    # only include the extension as part of the variables for the hash if requested
+    function2 = '%s.%s' % (function, extension or 'html') if hash_extension else function
 
     if not (application and controller and function):
         raise SyntaxError('not enough information to build the url (%s %s %s)' % (application, controller, function))
@@ -416,7 +418,7 @@ def URL(a=None,
     return url
 
 
-def verifyURL(request, hmac_key=None, hash_vars=True, salt=None, user_signature=None):
+def verifyURL(request, hmac_key=None, hash_vars=True, salt=None, user_signature=None, hash_extension=True):
     """
     Verifies that a request's args & vars have not been tampered with by the user
 
@@ -477,10 +479,19 @@ def verifyURL(request, hmac_key=None, hash_vars=True, salt=None, user_signature=
 
     # always include all of the args
     other = args and urllib_quote('/' + '/'.join([str(x) for x in args])) or ''
-    h_args = '/%s/%s/%s.%s%s' % (request.application,
+    
+    # decide whether the extension should be part of the hash verification
+    h_extension = request.extension if hash_extension else ''
+
+    # only add a period to the extension when it exists otherwise empty
+    # extensions will fail to validate
+    if h_extension:
+        h_extension = '.%s' % (h_extension)
+        
+    h_args = '/%s/%s/%s%s%s' % (request.application,
                                  request.controller,
                                  request.function,
-                                 request.extension,
+                                 h_extension,
                                  other)
 
     # but only include those vars specified (allows more flexibility for use with
diff --git a/gluon/tools.py b/gluon/tools.py
index 9fafd48e..01095e05 100644
--- a/gluon/tools.py
+++ b/gluon/tools.py
@@ -3930,7 +3930,7 @@ class Auth(AuthAPI):
             return self.has_permission(name, table_name, record_id)
         return self.requires(has_permission, otherwise=otherwise)
 
-    def requires_signature(self, otherwise=None, hash_vars=True):
+    def requires_signature(self, otherwise=None, hash_vars=True, hash_extension=True):
         """
         Decorator that prevents access to action if not logged in or
         if user logged in is not a member of group_id.
@@ -3938,7 +3938,7 @@ class Auth(AuthAPI):
         group_id is calculated.
         """
         def verify():
-            return URL.verify(current.request, user_signature=True, hash_vars=hash_vars)
+            return URL.verify(current.request, user_signature=True, hash_vars=hash_vars, hash_extension=True)
         return self.requires(verify, otherwise)
 
     def accessible_query(self, name, table, user_id=None):