Refs #28741 -- Doc'd SESSION_COOKIE_DOMAIN requirement with CSRF_USE_SESSIONS.

Similar considerations as refs #32065, again adding some nuance to afd375fc343baa46e61036087bc43b3d096bb0ca.
author: Tim Graham <timograham@gmail.com> 2021-01-02 19:56:54 -0500
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2021-01-04 07:49:30 +0100
commit: 2e7ba6057cfc82a15a22b6021cd60cf307152e2d (patch)
tree: 60074c90404df54e319f408c3bc74098f601b871 /docs
parent: 3363cf42255b7a960902ab561613460ebe777331 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 856d4cc36b..5fdb76b2d0 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -3167,6 +3167,10 @@ The domain to use for session cookies. Set this to a string such as
 ``"example.com"`` for cross-domain cookies, or use ``None`` for a standard
 domain cookie.
 
+To use cross-domain cookies with :setting:`CSRF_USE_SESSIONS`, you must include
+a leading dot (e.g. ``".example.com"``) to accommodate the CSRF middleware's
+referer checking.
+
 Be cautious when updating this setting on a production site. If you update
 this setting to enable cross-domain cookies on a site that previously used
 standard domain cookies, existing user cookies will be set to the old
author	Tim Graham <timograham@gmail.com>	2021-01-02 19:56:54 -0500
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-01-04 07:49:30 +0100
commit	2e7ba6057cfc82a15a22b6021cd60cf307152e2d (patch)
tree	60074c90404df54e319f408c3bc74098f601b871 /docs
parent	3363cf42255b7a960902ab561613460ebe777331 (diff)