Plone.protect: token in context of multiple app servers?!

We're using Plone 4.3 with plone.protect on a cluster with some application servers.

Is the generated CSRF token passed from a form back to the backend specific to a particular application server or valid on all application servers?

I've seen multiple errors like this

Unexpected error whilst trying to apply transform chain
Traceback (most recent call last):
  File "/home/plone/zchl_buildout/eggs/plone.transformchain-1.2.0-py2.7.egg/plone/transformchain/", line 49, in __call__
    newResult = handler.transformIterable(result, encoding)
  File "/home/plone/zchl_buildout/eggs/plone.protect-3.0.14-py2.7.egg/plone/protect/", line 152, in transformIterable
    if not self.check():
  File "/home/plone/zchl_buildout/eggs/plone.protect-3.0.14-py2.7.egg/plone/protect/", line 171, in check
    return self._check()
  File "/home/plone/zchl_buildout/eggs/plone.protect-3.0.14-py2.7.egg/plone/protect/", line 195, in _check
    check(self.request, manager=self.key_manager)
  File "/home/plone/zchl_buildout/eggs/plone.protect-3.0.14-py2.7.egg/plone/protect/", line 113, in check
    raise Forbidden('Form authenticator is invalid.')
Forbidden: Form authenticator is invalid.


plone.protect uses plone.keyring, which is a persistent utility, i.e. should be shared.

@zopyx did you find out the cause of this issue? We are suddenly seeing the same error. Also a cluster. Also the error happening in the transformchain.

I discussed something similar last week when we wanted to spam-protect a form and this passed as one of the 'caveat's. Did the form you now see errors on accidentally entered a varnish cache or did cache times change? Then you might serve the form with an too old token.

No idea, that's from 2016^^

I though it could help Dylan Jay, but I now see it's unrelated. Your traceback is on output in transformchain, not on incoming validation. That's out of scope for caching.

To update on the actual cause in case anyone hits this.

This is on plone 4 site with csrfixes. What that does that I'd forget about is ignore CSRF problems if the referrer is set to the same site.
We adding in some additional headers into our stack for security including Referrer-Policy We were a little over zealous and set it to no-referrer instead of strict-origin-when-cross-origin which is a mistake. Of course with no-referrer it turned back on plone.protect and we were suddenly seeing Form authenticator is invalid. in the transform chain.