summaryrefslogtreecommitdiff
path: root/docs/ref/settings.txt
diff options
context:
space:
mode:
authorRaphael Michel <mail@raphaelmichel.de>2016-06-30 18:42:11 +0200
committerTim Graham <timograham@gmail.com>2016-11-30 08:57:27 -0500
commitddf169cdaca91e92dd5bfe6796bb6f38369ecb68 (patch)
tree4c472f6baad2d938f2889c3a3f2073c7e1724a06 /docs/ref/settings.txt
parentf24eea3b69d9c3139f0145cd48a8962f67671aff (diff)
Refs #16859 -- Allowed storing CSRF tokens in sessions.
Major thanks to Shai for helping to refactor the tests, and to Shai, Tim, Florian, and others for extensive and helpful review.
Diffstat (limited to 'docs/ref/settings.txt')
-rw-r--r--docs/ref/settings.txt17
1 files changed, 17 insertions, 0 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 5f669115ab..87dbc89584 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -377,6 +377,22 @@ Whether to use a secure cookie for the CSRF cookie. If this is set to ``True``,
the cookie will be marked as "secure," which means browsers may ensure that the
cookie is only sent with an HTTPS connection.
+.. setting:: CSRF_USE_SESSIONS
+
+``CSRF_USE_SESSIONS``
+---------------------
+
+.. versionadded:: 1.11
+
+Default: ``False``
+
+Whether to store the CSRF token in the user's session instead of in a cookie.
+It requires the use of :mod:`django.contrib.sessions`.
+
+Storing the CSRF token in a cookie (Django's default) is safe, but storing it
+in the session is common practice in other web frameworks and therefore
+sometimes demanded by security auditors.
+
.. setting:: CSRF_FAILURE_VIEW
``CSRF_FAILURE_VIEW``
@@ -3407,6 +3423,7 @@ Security
* :setting:`CSRF_FAILURE_VIEW`
* :setting:`CSRF_HEADER_NAME`
* :setting:`CSRF_TRUSTED_ORIGINS`
+ * :setting:`CSRF_USE_SESSIONS`
* :setting:`SECRET_KEY`
* :setting:`X_FRAME_OPTIONS`