diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/narr/sessions.rst | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst index cce77ca5b..bd0fe69bf 100644 --- a/docs/narr/sessions.rst +++ b/docs/narr/sessions.rst @@ -327,7 +327,7 @@ To get the current CSRF token from the session, use the token = request.session.get_csrf_token() The ``get_csrf_token()`` method accepts no arguments. It returns the "current" -*token* string (as per the last call to ``session.new_csrf_token()``). You can +*token* string generated by the last call to ``session.new_csrf_token()``. You can then use it to compare against the token provided within form post hidden value data. For example, if your form rendering included the CSRF token obtained via ``session.new_csrf_token()`` as a hidden input field named @@ -340,3 +340,6 @@ obtained via ``session.new_csrf_token()`` as a hidden input field named if token != request.POST['csrf_token']: raise ValueError('CSRF token did not match') +.. comment:: + XXX Some advice on when a new csrf token should be generated would be + useful. At login time? When the form is generated? |