Merge branch 'develop' of git://github.com/EllisLab/CodeIgniter into develop

author: Ronald Beilsma <beilsma@gmail.com> 2012-01-10 15:45:31 +0100
committer: Ronald Beilsma <beilsma@gmail.com> 2012-01-10 15:45:31 +0100
commit: 25dcb93d05bd098e89188ea0691adf72228bd131 (patch)
tree: 37d3d769f2e64bebb48a98378c7aee3ab4c17efe /user_guide_src/source/libraries/security.rst
parent: db66eb38cfc4a2ab6c8816b8f7663211232d4f4e (diff)
parent: e9a5a862a1252548b463aa738e50e8d9bfd01379 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index 8ee0c6e77..e7d25555f 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -85,6 +85,10 @@ If you use the :doc:`form helper <../helpers/form_helper>` the
 form_open() function will automatically insert a hidden csrf field in
 your forms.
 
+Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter::
+
+	$config['csrf_regeneration'] = TRUE;
+
 Select URIs can be whitelisted from csrf protection (for example API
 endpoints expecting externally POSTed content). You can add these URIs
 by editing the 'csrf_exclude_uris' config parameter::
author	Ronald Beilsma <beilsma@gmail.com>	2012-01-10 15:45:31 +0100
committer	Ronald Beilsma <beilsma@gmail.com>	2012-01-10 15:45:31 +0100
commit	25dcb93d05bd098e89188ea0691adf72228bd131 (patch)
tree	37d3d769f2e64bebb48a98378c7aee3ab4c17efe /user_guide_src/source/libraries/security.rst
parent	db66eb38cfc4a2ab6c8816b8f7663211232d4f4e (diff)
parent	e9a5a862a1252548b463aa738e50e8d9bfd01379 (diff)