[Security] Explain lazy anonymous mode

HeahDude · HeahDude · commit 78a5271444ba · 2020-02-17T23:18:38.000+01:00
diff --git a/security.rst b/security.rst
@@ -290,7 +290,9 @@ and ``/_wdt``.
 
 All *real* URLs are handled by the ``main`` firewall (no ``pattern`` key means
 it matches *all* URLs). But this does *not* mean that every URL requires authentication.
-Nope, thanks to the ``anonymous`` key, this firewall *is* accessible anonymously.
+It is useful to let users be authenticated as anonymous. It means any request
+can have an anonymous token to access some resource, while some actions can require
+some privileges.
 
 In fact, if you go to the homepage right now, you *will* have access and you'll see
 that you're "authenticated" as ``anon.``. Don't be fooled by the "Yes" next to
@@ -300,8 +302,16 @@ you are anonymous:
 .. image:: /_images/security/anonymous_wdt.png
    :align: center
 
+It will also allow a request to access a form login without being authenticated as a
+unique user (otherwise an infinite redirection loop would happen asking the user to
+authenticate while trying to doing so).
 You'll learn later how to deny access to certain URLs or controllers.
 
+.. note::
+
+    The "lazy" anonymous mode prevent the session from being started if there is
+    no need for authorization (i.e explicit check for a user privilege).
+
 .. note::
 
     If you do not see the toolbar, install the :doc:`profiler </profiler>` with:
