Merge branch 'develop' of git://github.com/EllisLab/CodeIgniter into develop

author: Timothy Warren <tim@timshomepage.net> 2012-01-24 22:37:20 +0100
committer: Timothy Warren <tim@timshomepage.net> 2012-01-24 22:37:20 +0100
commit: 8f9e93dd37ae0090c9b4117138cd3135bfe3f67a (patch)
tree: 3f49040d696e760381642f2d2ffa407cee1dc039 /user_guide_src/source/libraries/security.rst
parent: de15a0b7377db0ef3b1d43508401be3c2927c0ff (diff)
parent: 96db8f91c34c18119548cacc4692362f51e70407 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index 8ee0c6e77..e7d25555f 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -85,6 +85,10 @@ If you use the :doc:`form helper <../helpers/form_helper>` the
 form_open() function will automatically insert a hidden csrf field in
 your forms.
 
+Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter::
+
+	$config['csrf_regeneration'] = TRUE;
+
 Select URIs can be whitelisted from csrf protection (for example API
 endpoints expecting externally POSTed content). You can add these URIs
 by editing the 'csrf_exclude_uris' config parameter::
author	Timothy Warren <tim@timshomepage.net>	2012-01-24 22:37:20 +0100
committer	Timothy Warren <tim@timshomepage.net>	2012-01-24 22:37:20 +0100
commit	8f9e93dd37ae0090c9b4117138cd3135bfe3f67a (patch)
tree	3f49040d696e760381642f2d2ffa407cee1dc039 /user_guide_src/source/libraries/security.rst
parent	de15a0b7377db0ef3b1d43508401be3c2927c0ff (diff)
parent	96db8f91c34c18119548cacc4692362f51e70407 (diff)