I know it's not perfect:
* It's not as tightly integrated into web.py as it could have been
(e.g. creating a form.Csrf field class or adding an application
processor for *all* POST methods that *don't* have a @no_csrf_check
* Since we're only keeping a single csrf_token, if you open 2 tabs
with forms, and then try to post both, the second time would be
detected as a CSRF attack (hence the spiffy 400 error).
Still - it seems to be short and working, and it's better than not having
CSRF protection at all. Once a more complete solution comes along, I'll
be sure to adopt it.