Since we got the CSRF protection recently, I'm getting lots of reports of "errors" which are actually the CSRF doing exactly what it should. An example is from a tweet that Chris pointed out to me:
"#joindin throwing lots of "Request was invalid. Tokens did not match." messages today an yesterday. Anyone else having problems? #lsp12"
Things that make this seem like a problem:
forms are POST for no clear reason. They should be POST if they do potentially harmful stuff like change data, or GET if they are safe (the search box is a great example, this should be GET)
we only support one CSRF token being stored at a time - so as soon as you have two windows open in joind.in, only the one that you loaded most recently will work.
Comments, patches and other wisdom all gratefully received