I'm wondering why Rails form Authenticity Tokens last the entire session instead of being generated uniquely per each submission.
I'm coming from web2py, where forms are generated with unique one-time tokens called _formkey. The formkey automatically prevents duplicate submissions resulting from double-clicking, back-button caching, etc.
In Rails, you apparently have to deal with the double-submission problem yourself (See https://stackoverflow.com/a/4683161/165673). It seems to me that one-time Authenticity Tokens would solve this problem, as well as being more secure?
One token for entire session is easier to implement. Think about a case where you have two opened tabs with forms.
One token for session is as secure as one-time token solution. At least as the protection against CSRF attacks.
In Rails, you apparently have to deal with the double-submission problem yourself
There is out of the box solution for that. Read about disable_with option. Of course all requests that modify data should be sent via HTTP POST, not GET.