+ ## Determine the correct CSRF tag.
+ ntag = csrf_tag(sec, when, user)
+
+ ## Check that the nonce matches, if one was supplied.
+ if nonce is not None:
+ bits = nonce.split('.', 2)
+ if len(bits) != 2: raise AuthenticationFailed, 'BADNONCE'
+ try: left, right = map(unhack_octets, bits)
+ except TypeError: raise AuthenticationFailed, 'BADNONCE'
+ if len(left) != len(right) or len(left) != len(ntag):
+ raise AuthenticationFailed, 'BADNONCE'
+ gtag = xor_strings(left, right)
+ if gtag != ntag: raise AuthenticationFailed, 'BADNONCE'
+
+ ## Make a new nonce string for use in forms.
+ NONCE = mint_csrf_nonce(sec, ntag)
+