summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorAlasdair Nicol <alasdair@thenicols.net>2017-01-19 20:56:39 +0000
committerTim Graham <timograham@gmail.com>2017-01-20 18:56:48 -0500
commit503e944ac792498e7b38c799d8e4b06f74e9d65a (patch)
tree07c6a54057c73a4c42ed558094ca27fe8ecb3532 /docs
parent1b06d5e6f6be8e567ce78c892c485af039830d7d (diff)
Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS setting.
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/csrf.txt7
1 files changed, 5 insertions, 2 deletions
diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt
index 488d31187f..fe5a70845e 100644
--- a/docs/ref/csrf.txt
+++ b/docs/ref/csrf.txt
@@ -527,13 +527,16 @@ Some security audit tools flag this as a problem but as mentioned before, an
attacker cannot steal a user's browser's CSRF cookie. "Stealing" or modifying
*your own* token using Firebug, Chrome dev tools, etc. isn't a vulnerability.
-Is the fact that Django's CSRF protection isn't linked to a session a problem?
-------------------------------------------------------------------------------
+Is it a problem that Django's CSRF protection isn't linked to a session by default?
+-----------------------------------------------------------------------------------
No, this is by design. Not linking CSRF protection to a session allows using
the protection on sites such as a `pastebin` that allow submissions from
anonymous users which don't have a session.
+If you wish to store the CSRF token in the user's session, use the
+:setting:`CSRF_USE_SESSIONS` setting.
+
Why might a user encounter a CSRF validation failure after logging in?
----------------------------------------------------------------------