diff options
| author | Chris McDonough <chrism@plope.com> | 2010-12-22 22:59:54 -0500 |
|---|---|---|
| committer | Chris McDonough <chrism@plope.com> | 2010-12-22 22:59:54 -0500 |
| commit | 36ea5b34b4ba25666a5b1d5fa86295e26395e921 (patch) | |
| tree | f5a7de1941c80f576dbdcb031f22b0d518a35fc7 /docs | |
| parent | 98d171f300186b30912770ff68baa67787b7b4c1 (diff) | |
| download | pyramid-36ea5b34b4ba25666a5b1d5fa86295e26395e921.tar.gz pyramid-36ea5b34b4ba25666a5b1d5fa86295e26395e921.tar.bz2 pyramid-36ea5b34b4ba25666a5b1d5fa86295e26395e921.zip | |
Changed my mind. Never pop the CSRF token. Leave it around until
a new one replaces it.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/narr/csrf.rst | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/docs/narr/csrf.rst b/docs/narr/csrf.rst index 7d1ee6fea..7586b0ed7 100644 --- a/docs/narr/csrf.rst +++ b/docs/narr/csrf.rst @@ -28,35 +28,35 @@ To add a CSRF token to the session, use the ``session.new_csrf_token`` method. The ``.new_csrf_token`` method accepts no arguments. It returns a *token* string, which will be opaque and randomized. This token will also be set -into the session, awaiting pickup by the ``session.pop_csrf_token`` method. +into the session, awaiting pickup by the ``session.get_csrf_token`` method. You can subsequently use the returned token as the value of a hidden field in a form that posts to a method that requires elevated privileges. The handler -for the form post should use ``session.pop_csrf_token`` (explained below) to -pop the current CSRF token related to the user from the session, and compare -it to the value of the hidden form field. +for the form post should use ``session.get_csrf_token`` (explained below) to +obtain the current CSRF token related to the user from the session, and +compare it to the value of the hidden form field. -Using the ``session.pop_csrf_token`` Method +Using the ``session.get_csrf_token`` Method ------------------------------------------- -To pop the current CSRF token from the session, use the -``session.pop_csrf_token`` method. +To get the current CSRF token from the session, use the +``session.get_csrf_token`` method. .. code-block:: python :linenos: - token = request.session.pop_csrf_token() + token = request.session.get_csrf_token() -The ``.pop_csrf_token`` method accepts no arguments. It returns the -"current" *token* string (as per the last call to -``session.new_csrf_token``). You can then use it to compare against the -token provided within form post hidden value data. For example, if your form -rendering included the CSRF token obtained via ``session.new_csrf_token`` as -a hidden input field named ``csrf_token``: +The ``get_csrf_token`` method accepts no arguments. It returns the "current" +*token* string (as per the last call to ``session.new_csrf_token``). You can +then use it to compare against the token provided within form post hidden +value data. For example, if your form rendering included the CSRF token +obtained via ``session.new_csrf_token`` as a hidden input field named +``csrf_token``: .. code-block:: python :linenos: - token = request.session.pop_csrf_token() + token = request.session.get_csrf_token() if token != request.POST['csrf_token']: raise ValueError('CSRF token did not match') |