Merged develop and fixed conflicts.

author: Phil Sturgeon <email@philsturgeon.co.uk> 2012-03-04 20:45:14 +0100
committer: Phil Sturgeon <email@philsturgeon.co.uk> 2012-03-04 20:45:14 +0100
commit: 0f2cb79b976086cb73140c25f4c568e865177426 (patch)
tree: e67e0247e540ea8be6c7b37f627c4b13c0f0a586 /user_guide_src/source/libraries/security.rst
parent: ef38f0a6d83025fbd99ace5ec60311acfe9121c4 (diff)
parent: e30e400581a663045486985d0e75bc77631a2ef2 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index 8ee0c6e77..e7d25555f 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -85,6 +85,10 @@ If you use the :doc:`form helper <../helpers/form_helper>` the
 form_open() function will automatically insert a hidden csrf field in
 your forms.
 
+Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter::
+
+	$config['csrf_regeneration'] = TRUE;
+
 Select URIs can be whitelisted from csrf protection (for example API
 endpoints expecting externally POSTed content). You can add these URIs
 by editing the 'csrf_exclude_uris' config parameter::
author	Phil Sturgeon <email@philsturgeon.co.uk>	2012-03-04 20:45:14 +0100
committer	Phil Sturgeon <email@philsturgeon.co.uk>	2012-03-04 20:45:14 +0100
commit	0f2cb79b976086cb73140c25f4c568e865177426 (patch)
tree	e67e0247e540ea8be6c7b37f627c4b13c0f0a586 /user_guide_src/source/libraries/security.rst
parent	ef38f0a6d83025fbd99ace5ec60311acfe9121c4 (diff)
parent	e30e400581a663045486985d0e75bc77631a2ef2 (diff)