This article gives you information on how to use Formular with web frameworks.
As a session you can use a SecureCookie or a Session as provided by the FilesystemSessionStore or the SesionMiddleware.
As action you should the the Request.path.
For validation you can use the form data stored in the Request.values, which holds the data for GET and POST requests.
See also
Bottle doesn’t have any session because as the bottle FAQ states it “[...]there is no right way to do it”. Therefore you don’t have any CSRF protection as long as you don’t have any other solution for it.
For validation you can get the form data store in the bottle.request.params.
See also