From 23ea93bf58bb3ad47bad08c17efa4067abbb5253 Mon Sep 17 00:00:00 2001 From: RS71 Date: Tue, 3 Jan 2012 12:43:16 -0200 Subject: Update user_guide_src/source/libraries/security.rst --- user_guide_src/source/libraries/security.rst | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'user_guide_src') diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst index 8ee0c6e77..e7d25555f 100644 --- a/user_guide_src/source/libraries/security.rst +++ b/user_guide_src/source/libraries/security.rst @@ -85,6 +85,10 @@ If you use the :doc:`form helper <../helpers/form_helper>` the form_open() function will automatically insert a hidden csrf field in your forms. +Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter:: + + $config['csrf_regeneration'] = TRUE; + Select URIs can be whitelisted from csrf protection (for example API endpoints expecting externally POSTed content). You can add these URIs by editing the 'csrf_exclude_uris' config parameter:: -- cgit v1.2.3-24-g4f1b