From 09d28baeb4c26e4133772ea6c7af5cfd748d38ba Mon Sep 17 00:00:00 2001
From: Jordan Lee <jordan@transmissionbt.com>
Date: Fri, 21 Jan 2011 02:40:33 +0000
Subject: [PATCH] #3915 "RPC Documentation should reflect in the
 X-Transmission-Session-Id headers" -- fixed.

Add documentation for handling 409 error messages from the Transmission RPC server.
---
 extras/rpc-spec.txt | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/extras/rpc-spec.txt b/extras/rpc-spec.txt
index 488115404..b67cf3da9 100644
--- a/extras/rpc-spec.txt
+++ b/extras/rpc-spec.txt
@@ -45,6 +45,19 @@
    since the port and path may be changed to allow mapping and/or multiple
    daemons to run on a single server.
 
+2.4.  CSRF Protection
+
+   Most Transmission RPC servers require a X-Transmission-Session-Id
+   header to be sent with requests, to prevent CSRF attacks.
+
+   When your request has the wrong id -- such as when you send your first
+   request, or when the server expires the CSRF token -- the
+   Transmission RPC server will return an HTTP 409 error with the
+   right X-Transmission-Session-Id in its own headers.
+
+   So, the correct way to handle a 409 response is to update your
+   X-Transmission-Session-Id and to resend the previous request.
+
 3.  Torrent Requests
 
 3.1.  Torrent Action Requests