Ticket #14134: patch.diff

django/conf/global_settings.py

@@ -484 +484 @@
 # rejected by the CSRF middleware.
 CSRF_FAILURE_VIEW = 'django.views.csrf.csrf_failure'
 
-# Name and domain for CSRF cookie.
-CSRF_COOKIE_NAME = 'csrftoken'
-CSRF_COOKIE_DOMAIN = None
+CSRF_COOKIE_NAME = 'csrftoken'                       # Cookie name.
+CSRF_COOKIE_PATH = '/'                               # The path of the csrf cookie.
+CSRF_COOKIE_DOMAIN = None                            # A string like ".lawrence.com", or None for standard domain cookie.
 
 ############
 # MESSAGES #

django/middleware/csrf.py

@@ -195 +195 @@
         # Set the CSRF cookie even if it's already set, so we renew the expiry timer.
         response.set_cookie(settings.CSRF_COOKIE_NAME,
                 request.META["CSRF_COOKIE"], max_age = 60 * 60 * 24 * 7 * 52,
+                path=settings.CSRF_COOKIE_PATH,
                 domain=settings.CSRF_COOKIE_DOMAIN)
         # Content varies with the CSRF cookie, so set the Vary header.
         patch_vary_headers(response, ('Cookie',))