> Is this what you are thinking of: > > if not request.session.remove_form_token(token): >> > instead of: > > if not request.session.has_form_token(token): > > else: > request.session.remove_form_token(token) Yes. The second form is racy in multiprocess environments, while the former (assuming that remove_form_token is atomic) is not. jon Jonathan Corbet Executive editor, LWN.net corbet@lwn.net