I give you options ... your choices, hahaha!

At least it can serve as a temporary remedy.

The "security hole" that is created only affects members who are filling out a form, only during that time, if they leave without closing the session, if OxWall does not close it by default, if the hacker knows how and why to attack and OxWall is not used to make bank websites either.

What i would be interested in is this specific case where someone is running their own server at home and gets caught in the exception because they use the same router for site connection. Even though it is two sep IP's i still feel that the router or something about the way the connection is established is causing the CSRF issue. 
That would be a good thing to learn why and how to fix it. 

Maybe changing my "comment" for an "if" that works with the user's registration IP, the public IP of the web and the IP with which it is connected.

Also, I would need to edit the file that I mentioned before.

I leave here some things about IPs with which I am working for a future plugin, in case they serve you or give you some idea

$user = BOL_UserService::getInstance()->findUserById( $userId );

$userRegIp = long2ip($user->joinIp);

$userActIp = ip2long(OW::getRequest()->getRemoteAddress());

public function getIp(){

    if (!empty($_SERVER['HTTP_CLIENT_IP']))

        $ip = $_SERVER['HTTP_CLIENT_IP'];

    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))

        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];

    else

        $ip = $_SERVER['REMOTE_ADDR'];
    return $ip;

}

Dave, man, I have an idea about this problem,

First of all, the customer may have more than one oxwall usage. This situation occurs when the cache lives in the mess. Continuous cache cleaning should be done to correct this.

The most ideal method to do in this case is the use of two difference themes (the cache shows constant problem clutter for the use of 2 different oxwall) because of the use of cerez.

My suggestion may be to change the ping throw range for the new edit edit.

I'll understand that the change on the kernel will be a recurring problem in the update. There are 2 ways to get rid of this, 1 is a new cerez edit plugin (this may sound a bit ridiculous) 2 is used in addition to the different theme for the oxwall site. Finally, when you visit oxwall based sites that you need to tell your customer, it will clear the cache.

The one for his web is daisy chained to the server router and both have dif ips.

this is from the customer: 

Okay one phone line for voice and router which is setup with 4 static IP address then from that router to the router I use for my everyday use computer...Then I have 2 Dell Power edge 2950 corporate computers hooked up to the first router which has the 4 static IP addresses.

He said he has run into the same issue trying to share a game he plays. I am thinking that somewhere the two share a common ground which causes the CSRF flag.