From 6c947c9f9e3bacb796edcb1a0cf77d609303366e Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 3 Sep 2022 18:00:31 +0200
Subject: [PATCH] Doc

---
 htdocs/main.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index f189c90da72..06ff00e474f 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -500,12 +500,12 @@ if (!defined('NOTOKENRENEWAL') && !defined('NOSESSION')) {
 		}
 
 		if (!isset($_SESSION['newtoken']) || getDolGlobalInt('MAIN_SECURITY_CSRF_TOKEN_RENEWAL_ON_EACH_CALL')) {
+			// Note: Using MAIN_SECURITY_CSRF_TOKEN_RENEWAL_ON_EACH_CALL is not recommended: if a user succeed in entering a data from
+			// a public page with a link that make a token regeneration, it can make use of the backoffice no more possible !
 			// Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken']
 			$token = dol_hash(uniqid(mt_rand(), false), 'md5'); // Generates a hash of a random number. We don't need a secured hash, just a changing random value.
 			$_SESSION['newtoken'] = $token;
 			dol_syslog("NEW TOKEN generated by : ".$_SERVER['PHP_SELF'], LOG_DEBUG);
-			// TODO Warning, if a user succeed in entering a data from a public page, he can enter a link that make a token regeneration making
-			// the use of the backoffice no more possible !
 		}
 	}
 }