From bfee6927c2c29c54aa646e5ca554490b3b25c821 Mon Sep 17 00:00:00 2001
From: Junhyunny <kang3966@naver.com>
Date: Wed, 10 Jul 2024 21:37:39 +0900
Subject: [PATCH] Correct Explanation for HttpSessionCsrfTokenRepository

---
 docs/modules/ROOT/pages/servlet/exploits/csrf.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
index 3dd8e7a180..a4aa0d8982 100644
--- a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
+++ b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
@@ -130,7 +130,7 @@ You can also specify <<csrf-token-repository-custom,your own implementation>> to
 
 By default, Spring Security stores the expected CSRF token in the `HttpSession` by using {security-api-url}org/springframework/security/web/csrf/HttpSessionCsrfTokenRepository.html[`HttpSessionCsrfTokenRepository`], so no additional code is necessary.
 
-The `HttpSessionCsrfTokenRepository` reads the token from an HTTP request header named `X-CSRF-TOKEN` or the request parameter `_csrf` by default.
+The `HttpSessionCsrfTokenRepository` reads the token from a session (whether in-memory, cache, or database). If you need to access the session attribute directly, please first configure the session attribute name using HttpSessionCsrfTokenRepository#setSessionAttributeName.
 
 You can specify the default configuration explicitly using the following configuration: