Merge upstream branch

author: Andrey Andreev <narf@bofh.bg> 2012-03-08 00:42:59 +0100
committer: Andrey Andreev <narf@bofh.bg> 2012-03-08 00:42:59 +0100
commit: 7203d54604a372fd8dd0b30bd8d4cdbd0af738bc (patch)
tree: af3bac1918ebd0fbd3d7564fc7c5fca34e6c2733 /user_guide_src/source/libraries/security.rst
parent: 51a22815994cfd4522c78177e41f064ab8e53415 (diff)
parent: ad9cd5938fe3c0859445e43c893c18ed172a33ce (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index 8ee0c6e77..e7d25555f 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -85,6 +85,10 @@ If you use the :doc:`form helper <../helpers/form_helper>` the
 form_open() function will automatically insert a hidden csrf field in
 your forms.
 
+Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter::
+
+	$config['csrf_regeneration'] = TRUE;
+
 Select URIs can be whitelisted from csrf protection (for example API
 endpoints expecting externally POSTed content). You can add these URIs
 by editing the 'csrf_exclude_uris' config parameter::
author	Andrey Andreev <narf@bofh.bg>	2012-03-08 00:42:59 +0100
committer	Andrey Andreev <narf@bofh.bg>	2012-03-08 00:42:59 +0100
commit	7203d54604a372fd8dd0b30bd8d4cdbd0af738bc (patch)
tree	af3bac1918ebd0fbd3d7564fc7c5fca34e6c2733 /user_guide_src/source/libraries/security.rst
parent	51a22815994cfd4522c78177e41f064ab8e53415 (diff)
parent	ad9cd5938fe3c0859445e43c893c18ed172a33ce (diff)