summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorLuke Plant <L.Plant.98@cantab.net>2011-05-09 23:00:22 +0000
committerLuke Plant <L.Plant.98@cantab.net>2011-05-09 23:00:22 +0000
commit8cbcf1d3a60a0ba1a6f3ddde9317ac07b67c6c5d (patch)
tree3c3167a0ee242211f6b2637e62c99ff34a896d15 /docs/ref
parenta75120927e52210c062cd54d1cf2a6968b507cf5 (diff)
Fixed #14134 - ability to set cookie 'path' and 'secure' attributes of CSRF cookie
Thanks to cfattarsi for the report and initial patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16200 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/contrib/csrf.txt25
-rw-r--r--docs/ref/settings.txt29
2 files changed, 54 insertions, 0 deletions
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt
index 88e9523719..b42dc26fbd 100644
--- a/docs/ref/contrib/csrf.txt
+++ b/docs/ref/contrib/csrf.txt
@@ -423,6 +423,31 @@ Default: ``'csrftoken'``
The name of the cookie to use for the CSRF authentication token. This can be
whatever you want.
+CSRF_COOKIE_PATH
+----------------
+
+.. versionadded:: 1.4
+
+Default: ``'/'``
+
+The path set on the CSRF cookie. This should either match the URL path of your
+Django installation or be a parent of that path.
+
+This is useful if you have multiple Django instances running under the same
+hostname. They can use different cookie paths, and each instance will only see
+its own CSRF cookie.
+
+CSRF_COOKIE_SECURE
+------------------
+
+.. versionadded:: 1.4
+
+Default: ``False``
+
+Whether to use a secure cookie for the CSRF cookie. If this is set to ``True``,
+the cookie will be marked as "secure," which means browsers may ensure that the
+cookie is only sent under an HTTPS connection.
+
CSRF_FAILURE_VIEW
-----------------
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index f8a5e0f640..f5f1226f21 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -340,6 +340,35 @@ Default: ``'csrftoken'``
The name of the cookie to use for the CSRF authentication token. This can be whatever you
want. See :doc:`/ref/contrib/csrf`.
+.. setting:: CSRF_COOKIE_PATH
+
+CSRF_COOKIE_PATH
+----------------
+
+.. versionadded:: 1.4
+
+Default: ``'/'``
+
+The path set on the CSRF cookie. This should either match the URL path of your
+Django installation or be a parent of that path.
+
+This is useful if you have multiple Django instances running under the same
+hostname. They can use different cookie paths, and each instance will only see
+its own CSRF cookie.
+
+.. setting:: CSRF_COOKIE_SECURE
+
+CSRF_COOKIE_SECURE
+------------------
+
+.. versionadded:: 1.4
+
+Default: ``False``
+
+Whether to use a secure cookie for the CSRF cookie. If this is set to ``True``,
+the cookie will be marked as "secure," which means browsers may ensure that the
+cookie is only sent under an HTTPS connection.
+
.. setting:: CSRF_FAILURE_VIEW
CSRF_FAILURE_VIEW