diff options
| author | Raphael Michel <mail@raphaelmichel.de> | 2016-06-30 18:42:11 +0200 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-11-30 08:57:27 -0500 |
| commit | ddf169cdaca91e92dd5bfe6796bb6f38369ecb68 (patch) | |
| tree | 4c472f6baad2d938f2889c3a3f2073c7e1724a06 /docs/ref/settings.txt | |
| parent | f24eea3b69d9c3139f0145cd48a8962f67671aff (diff) | |
Refs #16859 -- Allowed storing CSRF tokens in sessions.
Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review.
Diffstat (limited to 'docs/ref/settings.txt')
| -rw-r--r-- | docs/ref/settings.txt | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 5f669115ab..87dbc89584 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -377,6 +377,22 @@ Whether to use a secure cookie for the CSRF cookie. If this is set to ``True``, the cookie will be marked as "secure," which means browsers may ensure that the cookie is only sent with an HTTPS connection. +.. setting:: CSRF_USE_SESSIONS + +``CSRF_USE_SESSIONS`` +--------------------- + +.. versionadded:: 1.11 + +Default: ``False`` + +Whether to store the CSRF token in the user's session instead of in a cookie. +It requires the use of :mod:`django.contrib.sessions`. + +Storing the CSRF token in a cookie (Django's default) is safe, but storing it +in the session is common practice in other web frameworks and therefore +sometimes demanded by security auditors. + .. setting:: CSRF_FAILURE_VIEW ``CSRF_FAILURE_VIEW`` @@ -3407,6 +3423,7 @@ Security * :setting:`CSRF_FAILURE_VIEW` * :setting:`CSRF_HEADER_NAME` * :setting:`CSRF_TRUSTED_ORIGINS` + * :setting:`CSRF_USE_SESSIONS` * :setting:`SECRET_KEY` * :setting:`X_FRAME_OPTIONS` |
