Index: includes/common.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/common.inc,v
retrieving revision 1.925
diff -u -r1.925 common.inc
--- includes/common.inc	18 Jun 2009 21:19:01 -0000	1.925
+++ includes/common.inc	30 Jun 2009 19:21:15 -0000
@@ -3240,11 +3240,20 @@
  * Generate a token based on $value, the current user session and private key.
  *
  * @param $value
- *   An additional value to base the token on.
+ *   (optional) An additional value to base the token on.
+ * @param $session
+ *   (optional) A boolean value indicating whether the user's session is
+ *   required when generating the token. Most tokens are based on the session,
+ *   but in a situation where a session is not available or not needed a FALSE
+ *   value may be used to depend on the user IP address instead. Defaults to
+ *   TRUE.
  */
-function drupal_get_token($value = '') {
+function drupal_get_token($value = '', $session = TRUE) {
+  global $user;
+
   $private_key = drupal_get_private_key();
-  return md5(session_id() . $value . $private_key);
+  $user_id = $session || $user->session ? session_id() : ip_address();
+  return md5($user_id . $value . $private_key);
 }
 
 /**
@@ -3253,16 +3262,21 @@
  * @param $token
  *   The token to be validated.
  * @param $value
- *   An additional value to base the token on.
- * @param $skip_anonymous
- *   Set to true to skip token validation for anonymous users.
+ *   (optional) An additional value to base the token on.
+ * @param $session
+ *   (optional) A boolean value indicating whether the user's session is
+ *   required when generating the token.
  * @return
  *   True for a valid token, false for an invalid token. When $skip_anonymous
  *   is true, the return value will always be true for anonymous users.
+ *
+ * @see drupal_get_token()
  */
-function drupal_valid_token($token, $value = '', $skip_anonymous = FALSE) {
+function drupal_valid_token($token, $value = '', $session = TRUE) {
   global $user;
-  return (($skip_anonymous && $user->uid == 0) || ($token == md5(session_id() . $value . variable_get('drupal_private_key', ''))));
+
+  $user_id = $session || $user->session ? session_id() : ip_address();
+  return $token == md5($user_id . $value . variable_get('drupal_private_key', ''));
 }
 
 function _drupal_bootstrap_full() {