since 1.2.2 it would be good to update the docs and stress that that @validate in pylons needs to get force_defaults=False, to prevent htmlfill from wiping out the _auth_token field value, right now its very unintuitive to fix that problem because one needs to read the souce to see that the token value gets removed from POST by @authenticate_form
This was really useful info, been struggling with this for hours. Related posts to my problem were http://permalink.gmane.org/gmane.comp.python.formencode/726 and http://pylonshq.com/project/pylonshq/ticket/308