Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Merge branch '6.3.x'

Josh Cummings 1 year ago
parent
78f2c15f0d 97a49e18b9
commit
ef35c4a64a
1 changed files with 1 additions and 1 deletions
Unified View Show Diff Stats
  1. 1 1
      docs/modules/ROOT/pages/servlet/exploits/csrf.adoc

+ 1 - 1
docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
View File 

@@ -130,7 +130,7 @@ You can also specify <<csrf-token-repository-custom,your own implementation>> to
 
 
 
 By default, Spring Security stores the expected CSRF token in the `HttpSession` by using javadoc:org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository[], so no additional code is necessary.
 
 By default, Spring Security stores the expected CSRF token in the `HttpSession` by using javadoc:org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository[], so no additional code is necessary.
 
 
 
-The `HttpSessionCsrfTokenRepository` reads the token from an HTTP request header named `X-CSRF-TOKEN` or the request parameter `_csrf` by default.
 
+The `HttpSessionCsrfTokenRepository` reads the token from a session (whether in-memory, cache, or database). If you need to access the session attribute directly, please first configure the session attribute name using `HttpSessionCsrfTokenRepository#setSessionAttributeName`.
 
 
 
 You can specify the default configuration explicitly using the following configuration:
 
 You can specify the default configuration explicitly using the following configuration: