[eluser]arbme666[/eluser]
I posted it in Bug Tracker I got a replied with...
Quote:No, the token name is used for the cookie, this merely ensures that the application cookie prefix setting is being observed.
I still think it is wrong as what is the point in having $config['csrf_cookie_name'] in config.php if it is overwritten by $config['csrf_token_name'] later in Security.php.
The comment for it reads that it should be the token name that is appended not the cookie name.
Code:
// Append application specific cookie prefix to token name
$this->csrf_cookie_name = (config_item('cookie_prefix')) ? config_item('cookie_prefix').$this->csrf_token_name : $this->csrf_token_name;
Edit the Security.php file like above if you what to use $config['csrf_cookie_name'] as the actual name of the CSRF cookie.
Thanks