diff options
| author | Alasdair Nicol <alasdair@thenicols.net> | 2017-01-19 20:56:39 +0000 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2017-01-20 19:00:56 -0500 |
| commit | 6bb01b0b3cc6e5b2cf8d75ed2fd00a442d5caf52 (patch) | |
| tree | f782fc50d6b17ac94f2265ec50d731ec700a7444 | |
| parent | c96d1c74766a14c9d2b2796e7f5b176a02ab0fac (diff) | |
[1.11.x] Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS setting.
Backport of 503e944ac792498e7b38c799d8e4b06f74e9d65a from master
| -rw-r--r-- | docs/ref/csrf.txt | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt index 3d1ecc1237..a95bc2af60 100644 --- a/docs/ref/csrf.txt +++ b/docs/ref/csrf.txt @@ -532,13 +532,16 @@ Some security audit tools flag this as a problem but as mentioned before, an attacker cannot steal a user's browser's CSRF cookie. "Stealing" or modifying *your own* token using Firebug, Chrome dev tools, etc. isn't a vulnerability. -Is the fact that Django's CSRF protection isn't linked to a session a problem? ------------------------------------------------------------------------------- +Is it a problem that Django's CSRF protection isn't linked to a session by default? +----------------------------------------------------------------------------------- No, this is by design. Not linking CSRF protection to a session allows using the protection on sites such as a `pastebin` that allow submissions from anonymous users which don't have a session. +If you wish to store the CSRF token in the user's session, use the +:setting:`CSRF_USE_SESSIONS` setting. + Why might a user encounter a CSRF validation failure after logging in? ---------------------------------------------------------------------- |
