if you cache a page, for example with Varnish, how do you handle csfr tokens? Are they valid for one request, so the next from the cached html fails, or is valid for some minutes so can be reused?
Is it possible to disable caching for form modules?
Maybe you could rephrase this to be more specific. What is the problem you're trying to avoid?
If I create a form with PloneFormGen or the contact form, for example, there is an hidden crsf token. If the page is cached with varnish, I can reuse the token over and over again? Or it can be used only once? I'm asking because of possible spam from a web form.
I think the point of those tokens is that they are NOT reusable. The code from plone.protect (I think that's what does it) will check the value of the token and see if it matches what it had just generated. But I don't know for sure, so maybe just try it and see what happens.