Merge branch 'develop' of https://github.com/EllisLab/CodeIgniter into develop

author: Mike Funk <mfunk@xulonpress.com> 2012-02-23 20:52:23 +0100
committer: Mike Funk <mfunk@xulonpress.com> 2012-02-23 20:52:23 +0100
commit: 27a536dd3570f867ef807ab12391da032b32f09a (patch)
tree: 344b7dab21ea563e54567e428de3791c146e3ae3 /user_guide_src/source/libraries/security.rst
parent: 8afb848fded8fbdfa24b72df7f067e960c83c0e8 (diff)
parent: e2675736f3a68b1f64e135d827f6a70e0ae892fb (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index 8ee0c6e77..e7d25555f 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -85,6 +85,10 @@ If you use the :doc:`form helper <../helpers/form_helper>` the
 form_open() function will automatically insert a hidden csrf field in
 your forms.
 
+Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter::
+
+	$config['csrf_regeneration'] = TRUE;
+
 Select URIs can be whitelisted from csrf protection (for example API
 endpoints expecting externally POSTed content). You can add these URIs
 by editing the 'csrf_exclude_uris' config parameter::
author	Mike Funk <mfunk@xulonpress.com>	2012-02-23 20:52:23 +0100
committer	Mike Funk <mfunk@xulonpress.com>	2012-02-23 20:52:23 +0100
commit	27a536dd3570f867ef807ab12391da032b32f09a (patch)
tree	344b7dab21ea563e54567e428de3791c146e3ae3 /user_guide_src/source/libraries/security.rst
parent	8afb848fded8fbdfa24b72df7f067e960c83c0e8 (diff)
parent	e2675736f3a68b1f64e135d827f6a70e0ae892fb (diff)