Changes between Version 1 and Version 2 of Ticket #28699, comment 16


Ignore:
Timestamp:
Dec 5, 2018, 7:34:44 AM (6 years ago)
Author:
Carlton Gibson

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #28699, comment 16

    v1 v2  
    2020* But then `CsrfViewMiddleware.process_request()` calls `_get_token()` which fetches the **old** `CSRF_COOKIE`, from either the session or the cookie, and [https://github.com/django/django/blob/4d60261b2a77460b4c127c3d832518b95e11a0ac/django/middleware/csrf.py#L201 resets it on `request.META`].
    2121
    22 Unless I missed something, this is **negating the `rotate_token()` call**. Is that correct, or have I misread it? Given the docstring in `rotate_token()` isn't this a no-no?
     22Unless I missed something, this is **negating the `rotate_token()` call**. Is that correct, or have I misread it? Given the docstring in `rotate_token()` isn't this a no-no? If so, we can't recommend this.
    2323
    2424On the other hand, if `CsrfViewMiddleware` is first then the `rotate_token()` call will replace whatever `CSRF_COOKIE` was previously set, and so the actual CSRF check in `process_view()` will necessarily fail. (As we must be seeing here.)
Back to Top