From f4db2d16ec42922078ff1951cd696c9b49e1e2f6 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Sat, 2 Jan 2021 19:56:54 -0500 Subject: [PATCH] [3.1.x] Refs #28741 -- Doc'd SESSION_COOKIE_DOMAIN requirement with CSRF_USE_SESSIONS. Similar considerations as refs #32065, again adding some nuance to afd375fc343baa46e61036087bc43b3d096bb0ca. Backport of 2e7ba6057cfc82a15a22b6021cd60cf307152e2d from master --- docs/ref/settings.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index fe84d21d1c..1cf87db210 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -3172,6 +3172,10 @@ The domain to use for session cookies. Set this to a string such as ``"example.com"`` for cross-domain cookies, or use ``None`` for a standard domain cookie. +To use cross-domain cookies with :setting:`CSRF_USE_SESSIONS`, you must include +a leading dot (e.g. ``".example.com"``) to accommodate the CSRF middleware's +referer checking. + Be cautious when updating this setting on a production site. If you update this setting to enable cross-domain cookies on a site that previously used standard domain cookies, existing user cookies will be set to the old