I have a situation in which I can't preserve any session information for my users. No cookies are available. I'm able to present pages OK, but all form submissions fail. They fail because each form includes a token, and on submit the token is tested by drupal_valid_token(). The test always fails because the session_id() is never the same between when the form was generated and when submitted. Now, I notice that drupal_valid_token takes a parameter $skip_anonymous, which does almost what I want, it skips the test when the user is anonymous (why only for anonymous users, I have no idea). So it looks like someone had in mind a situation like mine. But as far as I can tell $skip_anonymous is never used. There's no way to configure FAPI to use it. So my questions are these: can anyone explain to me better what's going on here and what $skip_anonymous is for? And if I submit a patch that makes FAPI configurable to skip this check, is there any chance it would make it into the next 5.x and/or 6.x release? For the curious, my situation is a Facebook Application using Drupal for Facebook <http://drupal.org/project/fb>. When presenting a facebook "canvas page", the requests come from facebook, not the user's browser. And if the facebook user is not "logged in" to the app, there is no session information whatsoever available. I'm interested in other approaches to solve this problem. For example, if I could somehow alter all local urls to include a ?mysession=nnnnn, which stays the same through all links and form submits, that would be amazing. Any ideas are welcome. Thanks, -Dave