Item13883: Better docs on validation

Rest handler doesn't expire the keys
foswiki · Jan 14, 2016 · 3000672 · 3000672
1 parent bce38c0
commit 3000672
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/core/lib/Foswiki.spec b/core/lib/Foswiki.spec
@@ -373,7 +373,7 @@ $Foswiki::cfg{Validation}{MaxKeysPerSession} = 1000;
 
 # **BOOLEAN LABEL="Expire Validation Key on Use" EXPERT DISPLAY_IF="{Validation}{Method}!='none'" CHECK="iff:'{Validation}{Method} ne q<none>'"**
 # Expire a validation key immediately when it is used to validate the saving
-# of a page. This protects against an attacker eavesdropping the communication
+# of a page (N/A for =rest= requests). This protects against an attacker eavesdropping the communication
 # between browser and server and exploiting the keys sent from browser to
 # server. If this is enabled and a user edits and saves a page, and then goes
 # back to the edit screen using the browser back button and saves again, they
@@ -383,7 +383,8 @@ $Foswiki::cfg{Validation}{MaxKeysPerSession} = 1000;
 # forms more than once. If this warning screen is a problem for your users, you
 # can disable this setting which enables reuse of validation keys.
 # However this will lower the level of security against cross-site request
-# forgery.
+# forgery. Note however that  =rest= requests, for example, the CommentPlugin =comment= action,
+# do not expire the key.
 $Foswiki::cfg{Validation}{ExpireKeyOnUse} = 1;
 
 #---++ Login