[3.1.x] Refs #28741 -- Doc'd SESSION_COOKIE_DOMAIN requirement with CSRF_USE_SESSIONS.

timgraham · felixxm · commit f4db2d16ec42 · 2021-01-04T08:17:46.000+01:00
Similar considerations as refs #32065, again adding some nuance to afd375f. Backport of 2e7ba60 from master
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
@@ -3172,6 +3172,10 @@ The domain to use for session cookies. Set this to a string such as
 ``"example.com"`` for cross-domain cookies, or use ``None`` for a standard
 domain cookie.
 
+To use cross-domain cookies with :setting:`CSRF_USE_SESSIONS`, you must include
+a leading dot (e.g. ``".example.com"``) to accommodate the CSRF middleware's
+referer checking.
+
 Be cautious when updating this setting on a production site. If you update
 this setting to enable cross-domain cookies on a site that previously used
 standard domain cookies, existing user cookies will be set to the old
