summaryrefslogtreecommitdiffstats
path: root/user_guide_src
diff options
context:
space:
mode:
authorPhil Sturgeon <email@philsturgeon.co.uk>2012-01-08 04:02:46 +0100
committerPhil Sturgeon <email@philsturgeon.co.uk>2012-01-08 04:02:46 +0100
commit352d60e9f3a65def29e02a4507ef742eac255333 (patch)
tree5b312692feeb7b55fdc0a0857b01c9549c214e34 /user_guide_src
parent306e83a98127ef57cc020d183a184f7fd95df96e (diff)
parent0fc6409cae13c6be6749e1f160a144fc90713f8b (diff)
Merge pull request #850 from RS71/develop
CSRF optional token regeneration
Diffstat (limited to 'user_guide_src')
-rw-r--r--user_guide_src/source/changelog.rst2
-rw-r--r--user_guide_src/source/libraries/security.rst4
2 files changed, 6 insertions, 0 deletions
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 7e7be0689..d9eca7fef 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -65,6 +65,8 @@ Release Date: Not Released
if they are set manually after initialization.
- Minor speed optimizations and method & property visibility declarations in the Calendar Library.
- Removed SHA1 function in the :doc:`Encryption Library <libraries/encryption>`.
+ - Added $config['csrf_regeneration'] to the CSRF protection in the :doc:`Security library <libraries/security>`, which makes token regeneration optional.
+
- Core
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index 8ee0c6e77..e7d25555f 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -85,6 +85,10 @@ If you use the :doc:`form helper <../helpers/form_helper>` the
form_open() function will automatically insert a hidden csrf field in
your forms.
+Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter::
+
+ $config['csrf_regeneration'] = TRUE;
+
Select URIs can be whitelisted from csrf protection (for example API
endpoints expecting externally POSTed content). You can add these URIs
by editing the 'csrf_exclude_uris' config parameter::