> Is this what you are thinking of:
>
>     if not request.session.remove_form_token(token):
>         
>
> instead of:
>
>     if not request.session.has_form_token(token):
>         
>     else:
>         request.session.remove_form_token(token)

Yes.  The second form is racy in multiprocess environments, while the
former (assuming that remove_form_token is atomic) is not.

jon

Jonathan Corbet
Executive editor, LWN.net
corbet@lwn.net