summaryrefslogtreecommitdiffstats
path: root/user_guide_src
diff options
context:
space:
mode:
Diffstat (limited to 'user_guide_src')
-rw-r--r--user_guide_src/source/changelog.rst9
-rw-r--r--user_guide_src/source/installation/upgrade_300.rst9
-rw-r--r--user_guide_src/source/libraries/security.rst4
3 files changed, 17 insertions, 5 deletions
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 763f58b8f..d9eca7fef 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -31,6 +31,8 @@ Release Date: Not Released
- Added application/xml for xml and application/xml, text/xsl for xsl in mimes.php.
- Changed logger to only chmod when file is first created.
- Removed previously deprecated SHA1 Library.
+ - Removed previously deprecated use of ``$autoload['core']`` in application/config/autoload.php.
+ Only entries in ``$autoload['libraries']`` are auto-loaded now.
- Helpers
@@ -63,13 +65,14 @@ Release Date: Not Released
if they are set manually after initialization.
- Minor speed optimizations and method & property visibility declarations in the Calendar Library.
- Removed SHA1 function in the :doc:`Encryption Library <libraries/encryption>`.
+ - Added $config['csrf_regeneration'] to the CSRF protection in the :doc:`Security library <libraries/security>`, which makes token regeneration optional.
+
- Core
- - Changed private functions in CI_URI to protected so MY_URI can
- override them.
+ - Changed private functions in CI_URI to protected so MY_URI can override them.
- Removed CI_CORE boolean constant from CodeIgniter.php (no longer Reactor and Core versions).
- - Added method get_vars() to CI_Loader to retrieve all variables loaded with $this->load->vars()
+ - Added method get_vars() to CI_Loader to retrieve all variables loaded with $this->load->vars().
Bug fixes for 3.0
------------------
diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst
index 960485ae3..4c594ab17 100644
--- a/user_guide_src/source/installation/upgrade_300.rst
+++ b/user_guide_src/source/installation/upgrade_300.rst
@@ -15,6 +15,9 @@ Replace all files and directories in your "system" folder and replace
your index.php file. If any modifications were made to your index.php
they will need to be made fresh in this new one.
+.. note:: If you have any custom developed files in these folders please
+ make copies of them first.
+
Step 2: Change References to the SHA Library
============================================
@@ -23,6 +26,8 @@ Alter your code to use the native `sha1()` PHP function to generate a sha1 hash.
Additionally, the `sha1()` method in the :doc:`Encryption Library <../libraries/encryption>` has been removed.
+Step 3: Remove $autoload['core'] from your config/autoload.php
+==============================================================
-.. note:: If you have any custom developed files in these folders please
- make copies of them first.
+Use of the `$autoload['core']` config array has been deprecated as of CodeIgniter 1.4.1 and is now removed.
+Move any entries that you might have listed there to `$autoload['libraries']` instead.
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index 8ee0c6e77..e7d25555f 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -85,6 +85,10 @@ If you use the :doc:`form helper <../helpers/form_helper>` the
form_open() function will automatically insert a hidden csrf field in
your forms.
+Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter::
+
+ $config['csrf_regeneration'] = TRUE;
+
Select URIs can be whitelisted from csrf protection (for example API
endpoints expecting externally POSTed content). You can add these URIs
by editing the 'csrf_exclude_uris' config parameter::