summaryrefslogtreecommitdiffstats
path: root/user_guide_src/source/libraries/security.rst
diff options
context:
space:
mode:
authorAndrey Andreev <narf@bofh.bg>2012-02-29 22:44:17 +0100
committerAndrey Andreev <narf@bofh.bg>2012-02-29 22:44:17 +0100
commit99f31cd1a487d209fd9632b40baf12406bd897c1 (patch)
tree4d775677036840092dd29d4028a5d1b9d5a81751 /user_guide_src/source/libraries/security.rst
parent0b5a4867af78838f3c7e2726e469f904e15976f1 (diff)
parentdb0c06247949a4def38bcb0c0cf1239312140a81 (diff)
Merge branch 'develop' of github.com:EllisLab/CodeIgniter into develop-zip
Diffstat (limited to 'user_guide_src/source/libraries/security.rst')
-rw-r--r--user_guide_src/source/libraries/security.rst4
1 files changed, 4 insertions, 0 deletions
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index 8ee0c6e77..e7d25555f 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -85,6 +85,10 @@ If you use the :doc:`form helper <../helpers/form_helper>` the
form_open() function will automatically insert a hidden csrf field in
your forms.
+Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter::
+
+ $config['csrf_regeneration'] = TRUE;
+
Select URIs can be whitelisted from csrf protection (for example API
endpoints expecting externally POSTed content). You can add these URIs
by editing the 'csrf_exclude_uris' config parameter::