Permalink
Browse files

replaced the 4th edition string with 6th edition pre-release, and added

mention of disable CSRF option in auth
  • Loading branch information...
1 parent 08d3008 commit b450d38f69bc07d5e9676c6eccd34e955862f129 @timrichardson timrichardson committed Sep 8, 2013
Showing with 4 additions and 1 deletion.
  1. +1 −1 controllers/default.py
  2. +3 −0 sources/29-web2py-english/09.markmin
View
@@ -12,7 +12,7 @@
FORCE_RENDER = True
response.title = 'web2py'
-response.subtitle = 'Full Stack Web Framework, 4th Ed.\nwritten by Massimo Di Pierro in English'
+response.subtitle = 'Full Stack Web Framework, 6th Ed (pre-release).\nwritten by Massimo Di Pierro in English'
response.menu = []
def splitter(x):
@@ -57,6 +57,9 @@ auth.define_tables()
Auth has an optional ``secure=True`` argument, which will force authenticated pages to go over HTTPS. ``https``:inxx
+By default, Auth protects logins against cross-site request forgeries (CSRF). This is actually provided by web2py's standard CSRF protection whenever forms are generated in a session. However, under some circumstances, the overhead of creating a session for login,password request and reset attempts may be undesirable. DOS attacks are theoretically possible. CSRF protection can be disabled for Auth forms (as of v 2.6):
+``Auth = Auth(..., csrf_prevention = False)``:code
+Note that doing this purely to avoid session overload on a busy site is not recommended because of the introduced security risk. Instead, see the Deployment chapter for advice on reducing session overheads.
-------
The ``password`` field of the ``db.auth_user`` table defaults to a ``CRYPT`` validator, which needs and ``hmac_key``. On legacy web2py applications you may see an extra argument passed to the Auth constructor: ``hmac_key = Auth.get_or_create_key()``. The latter is a function that read the HMAC key from a file "private/auth.key" within the application folder. If the file does not exist it creates a random ``hmac_key``. If multiple apps share the same auth database, make sure they also use the same ``hmac_key``. This is no longer necessary for new applications since passwords are salted with an individual random salt.
-------

0 comments on commit b450d38

Please sign in to comment.