Index: includes/form.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/form.inc,v
retrieving revision 1.78
diff -u -r1.78 form.inc
--- includes/form.inc	15 Mar 2006 08:57:37 -0000	1.78
+++ includes/form.inc	16 Mar 2006 06:10:12 -0000
@@ -59,18 +59,25 @@
  *
  */
 function drupal_get_form($form_id, &$form, $callback = NULL) {
-  global $form_values, $form_submitted;
+  global $form_values, $form_submitted, $user;
   $form_values = array();
   $form_submitted = FALSE;
 
   $form['#type'] = 'form';
   if (isset($form['#token'])) {
-    // Make sure that a private key is set:
-    if (!variable_get('drupal_private_key', '')) {
-      variable_set('drupal_private_key', mt_rand());
+    // displaying tokens on cached pages breaks the form for
+    // every user except the first one who generates the cache
+    if (variable_get('cache', 0) && !$user->uid && $_SERVER['REQUEST_METHOD'] == 'GET') {
+      unset($form['#token']);
     }
+    else {
+      // Make sure that a private key is set:
+      if (!variable_get('drupal_private_key', '')) {
+        variable_set('drupal_private_key', mt_rand());
+      }
 
-    $form['form_token'] = array('#type' => 'hidden', '#default_value' => md5(session_id() . $form['#token'] . variable_get('drupal_private_key', '')));
+      $form['form_token'] = array('#type' => 'hidden', '#default_value' => md5(session_id() . $form['#token'] . variable_get('drupal_private_key', '')));
+    }
   }
   if (isset($form_id)) {
     $form['form_id'] = array('#type' => 'hidden', '#value' => $form_id);
Index: modules/comment.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/comment.module,v
retrieving revision 1.440
diff -u -r1.440 comment.module
--- modules/comment.module	6 Mar 2006 20:52:55 -0000	1.440
+++ modules/comment.module	16 Mar 2006 06:28:42 -0000
@@ -78,6 +78,7 @@
 <li>administer comments <a href="%admin-comment-configure"> administer &gt;&gt; comments &gt;&gt; configure</a>.</li>
 </ul>
 ', array('%admin-access' => url('admin/access'), '%admin-comment-configure' => url('admin/comment/configure')));
+      $output .= '<p>'. t('Comment submissions use tokens when content caching is turned off. Tokens are hidden form fields with unique strings that must be submitted for comments to be saved. When forms are submitted correctly, the token is automatically generated and passed between the authoring, preview, and submit pages. It adds one more step of complexity for spammers by requiring them to have the unique token from a previous page load.') .'</p>';
       $output .= '<p>'. t('For more information please read the configuration and customization handbook <a href="%comment">Comment page</a>.', array('%comment' => 'http://drupal.org/handbook/modules/comment/')) .'</p>';
       return $output;
     case 'admin/modules#description':