From e5f66f8e839ee5d7eeaebb118c9d03f11578dd14 Mon Sep 17 00:00:00 2001 From: Casey Duncan Date: Wed, 5 Jan 2011 23:58:24 -0700 Subject: add parens to method references --- docs/narr/sessions.rst | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) (limited to 'docs') diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst index 6a6de2639..edd24d839 100644 --- a/docs/narr/sessions.rst +++ b/docs/narr/sessions.rst @@ -301,19 +301,18 @@ as described in :ref:`using_the_default_session_factory` or Using the ``session.new_csrf_token`` Method ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -To add a CSRF token to the session, use the ``session.new_csrf_token`` method. +To add a CSRF token to the session, use the ``session.new_csrf_token()`` method. .. code-block:: python - :linenos: token = request.session.new_csrf_token() -The ``.new_csrf_token`` method accepts no arguments. It returns a *token* +The ``new_csrf_token()`` method accepts no arguments. It returns a *token* string, which will be opaque and randomized. This token will also be set -into the session, awaiting pickup by the ``session.get_csrf_token`` method. +into the session, awaiting pickup by the ``session.get_csrf_token()`` method. You can subsequently use the returned token as the value of a hidden field in a form that posts to a method that requires elevated privileges. The handler -for the form post should use ``session.get_csrf_token`` (explained below) to +for the form post should use ``session.get_csrf_token()`` (explained below) to obtain the current CSRF token related to the user from the session, and compare it to the value of the hidden form field. @@ -321,19 +320,18 @@ Using the ``session.get_csrf_token`` Method ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To get the current CSRF token from the session, use the -``session.get_csrf_token`` method. +``session.get_csrf_token()`` method. .. code-block:: python - :linenos: token = request.session.get_csrf_token() -The ``get_csrf_token`` method accepts no arguments. It returns the "current" -*token* string (as per the last call to ``session.new_csrf_token``). You can +The ``get_csrf_token()`` method accepts no arguments. It returns the "current" +*token* string (as per the last call to ``session.new_csrf_token()``). You can then use it to compare against the token provided within form post hidden value data. For example, if your form rendering included the CSRF token -obtained via ``session.new_csrf_token`` as a hidden input field named -``csrf_token``: +obtained via ``session.new_csrf_token()`` as a hidden input field named +``csrf_token()``: .. code-block:: python :linenos: @@ -342,5 +340,3 @@ obtained via ``session.new_csrf_token`` as a hidden input field named if token != request.POST['csrf_token']: raise ValueError('CSRF token did not match') - - -- cgit v1.2.3