From 30f203ac5be8bc67b54be11d23b2df75cf82bcaa Mon Sep 17 00:00:00 2001
From: Boris Diakur <contact@borisdiakur.com>
Date: Wed, 18 Mar 2015 10:38:26 +0100
Subject: [PATCH] docs: clarify when session vs cookie parser required

closes #62
closes #63
---
 README.md | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index e8e4213..9cb886e 100644
--- a/README.md
+++ b/README.md
@@ -42,9 +42,13 @@ any of the following keys:
 ##### cookie
 
 Determines if the token secret for the user should be stored in a cookie
-(when set to `true` or an object, requires a cookie parsing module) or in
-`req.session` (when set to `false`, provided by another module). Defaults
-to `false`.
+(when set to `true` or an object, a cookie parsing module e.g.
+[cookie-parser](https://www.npmjs.com/package/cookie-parser) must be required
+before csurf) or in `req.session` (when set to `false` a session module, e.g.
+[express-session](https://www.npmjs.com/package/express-session) or
+[cookie-session](https://www.npmjs.com/package/cookie-session) must be required
+before csurf). Defaults to `false`. Note that you need _either_ a session
+middleware _or_ cookie-parser, not _both_.
 
 When set to an object, cookie storage of the secret is enabled and the
 object contains options for this functionality (when set to `true`, the