one thing, if someone needs to know: if you're using $obj->getSecureForm() to get the form, don't forget to check, if the token is valid.
if(!icms::$security->check()) redirect_header(icms_getPreviouspage(), 3, _YOUR_SECURITY_CHECK_ALERT);
if you don't use the default method and want to use the token method in your html form you can get the token field by
$token = icms::$security->getTokenHTML();
in forms built with php:
in all cases add the security check in form action before saving the data. The token will be invalid if the token has expired.