Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS setting.

503e944a · Alasdair Nicol · Tim Graham · 1b06d5e6 · 503e944a
Kaydet (Commit) 503e944a authored Ock 19, 2017 tarafından Alasdair Nicol Kaydeden (comit) Tim Graham Ock 20, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 2 deletions

csrf.txt docs/ref/csrf.txt +5 -2

No files found.
--- a/docs/ref/csrf.txt
+++ b/docs/ref/csrf.txt
@@ -527,13 +527,16 @@ Some security audit tools flag this as a problem but as mentioned before, an
 attacker cannot steal a user's browser's CSRF cookie. "Stealing" or modifying
 *your own* token using Firebug, Chrome dev tools, etc. isn't a vulnerability.

-Is the fact that Django's CSRF protection isn't linked to a session a problem?
------------------------------------------------------------------------------
+Is it a problem that Django's CSRF protection isn't linked to a session by default?
+-----------------------------------------------------------------------------------

 No, this is by design. Not linking CSRF protection to a session allows using
 the protection on sites such as a `pastebin` that allow submissions from
 anonymous users which don't have a session.

+If you wish to store the CSRF token in the user's session, use the
+:setting:`CSRF_USE_SESSIONS` setting.
+
 Why might a user encounter a CSRF validation failure after logging in?
 ----------------------------------------------------------------------