diff options
| author | Casey Duncan <casey.duncan@gmail.com> | 2011-01-06 00:06:31 -0700 |
|---|---|---|
| committer | Casey Duncan <casey.duncan@gmail.com> | 2011-01-06 00:06:31 -0700 |
| commit | edd530c7bf07ff902585b57a136c0ab8fafc9254 (patch) | |
| tree | c1c1919297c16457abc2ba75b5c5b2568262937c /docs | |
| parent | f8f2fa32bcbec2334e02b9f16ee72d40e2fa857b (diff) | |
| download | pyramid-edd530c7bf07ff902585b57a136c0ab8fafc9254.tar.gz pyramid-edd530c7bf07ff902585b57a136c0ab8fafc9254.tar.bz2 pyramid-edd530c7bf07ff902585b57a136c0ab8fafc9254.zip | |
clarify by promoting parenthetical, add comment requesting some advice
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/narr/sessions.rst | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst index cce77ca5b..bd0fe69bf 100644 --- a/docs/narr/sessions.rst +++ b/docs/narr/sessions.rst @@ -327,7 +327,7 @@ To get the current CSRF token from the session, use the token = request.session.get_csrf_token() The ``get_csrf_token()`` method accepts no arguments. It returns the "current" -*token* string (as per the last call to ``session.new_csrf_token()``). You can +*token* string generated by the last call to ``session.new_csrf_token()``. You can then use it to compare against the token provided within form post hidden value data. For example, if your form rendering included the CSRF token obtained via ``session.new_csrf_token()`` as a hidden input field named @@ -340,3 +340,6 @@ obtained via ``session.new_csrf_token()`` as a hidden input field named if token != request.POST['csrf_token']: raise ValueError('CSRF token did not match') +.. comment:: + XXX Some advice on when a new csrf token should be generated would be + useful. At login time? When the form is generated? |