summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/narr/csrf.rst30
1 files changed, 15 insertions, 15 deletions
diff --git a/docs/narr/csrf.rst b/docs/narr/csrf.rst
index 7d1ee6fea..7586b0ed7 100644
--- a/docs/narr/csrf.rst
+++ b/docs/narr/csrf.rst
@@ -28,35 +28,35 @@ To add a CSRF token to the session, use the ``session.new_csrf_token`` method.
The ``.new_csrf_token`` method accepts no arguments. It returns a *token*
string, which will be opaque and randomized. This token will also be set
-into the session, awaiting pickup by the ``session.pop_csrf_token`` method.
+into the session, awaiting pickup by the ``session.get_csrf_token`` method.
You can subsequently use the returned token as the value of a hidden field in
a form that posts to a method that requires elevated privileges. The handler
-for the form post should use ``session.pop_csrf_token`` (explained below) to
-pop the current CSRF token related to the user from the session, and compare
-it to the value of the hidden form field.
+for the form post should use ``session.get_csrf_token`` (explained below) to
+obtain the current CSRF token related to the user from the session, and
+compare it to the value of the hidden form field.
-Using the ``session.pop_csrf_token`` Method
+Using the ``session.get_csrf_token`` Method
-------------------------------------------
-To pop the current CSRF token from the session, use the
-``session.pop_csrf_token`` method.
+To get the current CSRF token from the session, use the
+``session.get_csrf_token`` method.
.. code-block:: python
:linenos:
- token = request.session.pop_csrf_token()
+ token = request.session.get_csrf_token()
-The ``.pop_csrf_token`` method accepts no arguments. It returns the
-"current" *token* string (as per the last call to
-``session.new_csrf_token``). You can then use it to compare against the
-token provided within form post hidden value data. For example, if your form
-rendering included the CSRF token obtained via ``session.new_csrf_token`` as
-a hidden input field named ``csrf_token``:
+The ``get_csrf_token`` method accepts no arguments. It returns the "current"
+*token* string (as per the last call to ``session.new_csrf_token``). You can
+then use it to compare against the token provided within form post hidden
+value data. For example, if your form rendering included the CSRF token
+obtained via ``session.new_csrf_token`` as a hidden input field named
+``csrf_token``:
.. code-block:: python
:linenos:
- token = request.session.pop_csrf_token()
+ token = request.session.get_csrf_token()
if token != request.POST['csrf_token']:
raise ValueError('CSRF token did not match')
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-20 07:18:20 +0000