Update user_guide_src/source/libraries/security.rst

author: RS71 <mr.toaster@gmail.com> 2012-01-03 15:43:16 +0100
committer: RS71 <mr.toaster@gmail.com> 2012-01-03 15:43:16 +0100
commit: 23ea93bf58bb3ad47bad08c17efa4067abbb5253 (patch)
tree: 9997c3bc237cceea14e10584356ed1050b19dc86 /user_guide_src
parent: 4b2e9fea1f34b4b2cff30b3211579e883b31005d (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index 8ee0c6e77..e7d25555f 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -85,6 +85,10 @@ If you use the :doc:`form helper <../helpers/form_helper>` the
 form_open() function will automatically insert a hidden csrf field in
 your forms.
 
+Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter::
+
+	$config['csrf_regeneration'] = TRUE;
+
 Select URIs can be whitelisted from csrf protection (for example API
 endpoints expecting externally POSTed content). You can add these URIs
 by editing the 'csrf_exclude_uris' config parameter::
author	RS71 <mr.toaster@gmail.com>	2012-01-03 15:43:16 +0100
committer	RS71 <mr.toaster@gmail.com>	2012-01-03 15:43:16 +0100
commit	23ea93bf58bb3ad47bad08c17efa4067abbb5253 (patch)
tree	9997c3bc237cceea14e10584356ed1050b19dc86 /user_guide_src
parent	4b2e9fea1f34b4b2cff30b3211579e883b31005d (diff)