From: Ben Darnell <ben@bendarnell.com>
Date: Sun, 1 May 2011 19:17:00 +0000 (-0700)
Subject: Document the ability to modify XSRF protection by overriding check_xsrf_cookie.
X-Git-Tag: v2.0.0~93
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb9e40b701fea5b37b81f4d97976372630d507fa;p=thirdparty%2Ftornado.git

Document the ability to modify XSRF protection by overriding check_xsrf_cookie.

Closes #254
---

diff --git a/website/templates/documentation.txt b/website/templates/documentation.txt
index b04ed8add..31b313432 100644
--- a/website/templates/documentation.txt
+++ b/website/templates/documentation.txt
@@ -456,6 +456,14 @@ For `PUT` and `DELETE` requests (as well as `POST` requests that do not
 use form-encoded arguments), the XSRF token may also be passed via
 an HTTP header named `X-XSRFToken`.
 
+If you need to customize XSRF behavior on a per-handler basis, you can
+override `RequestHandler.check_xsrf_cookie()`.  For example, if you have
+an API whose authentication does not use cookies, you may want to disable
+XSRF protection by making `check_xsrf_cookie()` do nothing.  However, if
+you support both cookie and non-cookie-based authentication, it is important
+that XSRF protection be used whenever the current request is authenticated
+with a cookie.
+
 
 ### Static files and aggressive file caching