[development] forms without session

[Dave Cohen]

I have a situation in which I can't preserve any session information for my 
users.  No cookies are available.  I'm able to present pages OK, but all form 
submissions fail.

They fail because each form includes a token, and on submit the token is 
tested by drupal_valid_token().  The test always fails because the 
session_id() is never the same between when the form was generated and when 
submitted.

Now, I notice that drupal_valid_token takes a parameter $skip_anonymous, which 
does almost what I want, it skips the test when the user is anonymous (why 
only for anonymous users, I have no idea).  So it looks like someone had in 
mind a situation like mine.  But as far as I can tell $skip_anonymous is 
never used.  There's no way to configure FAPI to use it.

So my questions are these: can anyone explain to me better what's going on 
here and what $skip_anonymous is for?  And if I submit a patch that makes 
FAPI configurable to skip this check, is there any chance it would make it 
into the next 5.x and/or 6.x release?

For the curious, my situation is a Facebook Application using Drupal for 
Facebook <http://drupal.org/project/fb>.  When presenting a facebook "canvas 
page", the requests come from facebook, not the user's browser.  And if the 
facebook user is not "logged in" to the app, there is no session information 
whatsoever available.

I'm interested in other approaches to solve this problem.  For example, if I 
could somehow alter all local urls to include a ?mysession=nnnnn, which stays 
the same through all links and form submits, that would be amazing.  Any 
ideas are welcome.

Thanks, -Dave