From 23ea93bf58bb3ad47bad08c17efa4067abbb5253 Mon Sep 17 00:00:00 2001
From: RS71 <mr.toaster@gmail.com>
Date: Tue, 3 Jan 2012 12:43:16 -0200
Subject: Update user_guide_src/source/libraries/security.rst

---
 user_guide_src/source/libraries/security.rst | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'user_guide_src/source')

diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index 8ee0c6e77..e7d25555f 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -85,6 +85,10 @@ If you use the :doc:`form helper <../helpers/form_helper>` the
 form_open() function will automatically insert a hidden csrf field in
 your forms.
 
+Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter::
+
+	$config['csrf_regeneration'] = TRUE;
+
 Select URIs can be whitelisted from csrf protection (for example API
 endpoints expecting externally POSTed content). You can add these URIs
 by editing the 'csrf_exclude_uris' config parameter::
-- 
cgit v1.2.3-24-g4f1b


From 0fc6409cae13c6be6749e1f160a144fc90713f8b Mon Sep 17 00:00:00 2001
From: RS71 <mr.toaster@gmail.com>
Date: Tue, 3 Jan 2012 12:50:55 -0200
Subject: Update user_guide_src/source/changelog.rst

---
 user_guide_src/source/changelog.rst | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'user_guide_src/source')

diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 59d2ea88d..b2f247589 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -61,6 +61,8 @@ Release Date: Not Released
 	    if they are set manually after initialization.
    -  Minor speed optimizations and method & property visibility declarations in the Calendar Library.
    -  Removed SHA1 function in the :doc:`Encryption Library <libraries/encryption>`.
+   -  Added $config['csrf_regeneration'] to the CSRF protection in the :doc:`Security library <libraries/security>`, which makes token regeneration optional.
+
 
 -  Core
 
-- 
cgit v1.2.3-24-g4f1b


From 75f7c12815c62782163a54e84707f50459b6ef5d Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@bofh.bg>
Date: Sun, 8 Jan 2012 03:49:25 +0200
Subject: Remove loading of ['core'] elements

---
 user_guide_src/source/changelog.rst                | 7 ++++---
 user_guide_src/source/installation/upgrade_300.rst | 9 +++++++--
 2 files changed, 11 insertions(+), 5 deletions(-)

(limited to 'user_guide_src/source')

diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 763f58b8f..7e7be0689 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -31,6 +31,8 @@ Release Date: Not Released
    -  Added application/xml for xml and application/xml, text/xsl for xsl in mimes.php.
    -  Changed logger to only chmod when file is first created.
    -  Removed previously deprecated SHA1 Library.
+   -  Removed previously deprecated use of ``$autoload['core']`` in application/config/autoload.php.
+      Only entries in ``$autoload['libraries']`` are auto-loaded now.
 
 -  Helpers
 
@@ -66,10 +68,9 @@ Release Date: Not Released
 
 -  Core
 
-   -  Changed private functions in CI_URI to protected so MY_URI can
-      override them.
+   -  Changed private functions in CI_URI to protected so MY_URI can override them.
    -  Removed CI_CORE boolean constant from CodeIgniter.php (no longer Reactor and Core versions).
-   -  Added method get_vars() to CI_Loader to retrieve all variables loaded with $this->load->vars()
+   -  Added method get_vars() to CI_Loader to retrieve all variables loaded with $this->load->vars().
 
 Bug fixes for 3.0
 ------------------
diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst
index 960485ae3..4c594ab17 100644
--- a/user_guide_src/source/installation/upgrade_300.rst
+++ b/user_guide_src/source/installation/upgrade_300.rst
@@ -15,6 +15,9 @@ Replace all files and directories in your "system" folder and replace
 your index.php file. If any modifications were made to your index.php
 they will need to be made fresh in this new one.
 
+.. note:: If you have any custom developed files in these folders please
+	make copies of them first.
+
 Step 2: Change References to the SHA Library
 ============================================
 
@@ -23,6 +26,8 @@ Alter your code to use the native `sha1()` PHP function to generate a sha1 hash.
 
 Additionally, the `sha1()` method in the :doc:`Encryption Library <../libraries/encryption>` has been removed.
 
+Step 3: Remove $autoload['core'] from your config/autoload.php
+==============================================================
 
-.. note:: If you have any custom developed files in these folders please
-	make copies of them first.
+Use of the `$autoload['core']` config array has been deprecated as of CodeIgniter 1.4.1 and is now removed.
+Move any entries that you might have listed there to `$autoload['libraries']` instead.
-- 
cgit v1.2.3-24-g4f1b