Ticket #9977: csrf_template_tag_4.diff

django/conf/project_template/settings.py

@@ -60 +60 @@
 MIDDLEWARE_CLASSES = (
     'django.middleware.common.CommonMiddleware',
     'django.contrib.csrf.middleware.CsrfViewMiddleware',
-    'django.contrib.csrf.middleware.CsrfResponseMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
 )
@@ -76 +75 @@
 INSTALLED_APPS = (
     'django.contrib.auth',
     'django.contrib.contenttypes',
+    'django.contrib.csrf',
     'django.contrib.sessions',
     'django.contrib.sites',
 )

django/conf/global_settings.py

@@ -165 +165 @@
     'django.core.context_processors.debug',
     'django.core.context_processors.i18n',
     'django.core.context_processors.media',
+    'django.contrib.csrf.context_processors.csrf',
 #    'django.core.context_processors.request',
 )
 
@@ -303 +304 @@
 MIDDLEWARE_CLASSES = (
 #     'django.middleware.gzip.GZipMiddleware',
     'django.contrib.csrf.middleware.CsrfViewMiddleware',
-    'django.contrib.csrf.middleware.CsrfResponseMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
 #     'django.middleware.http.ConditionalGetMiddleware',
@@ -379 +379 @@
 # The number of days a password reset link is valid for
 PASSWORD_RESET_TIMEOUT_DAYS = 3
 
+########
+# CSRF #
+########
+
+# Dotted path to callable to be used as view when a request is
+# rejected by the CSRF middleware.
+CSRF_FAILURE_VIEW = 'django.contrib.csrf.views.csrf_failure'
+
 ###########
 # TESTING #
 ###########

django/contrib/formtools/templates/formtools/preview.html

@@ -1 +1 @@
 {% extends "base.html" %}
-
+{% load csrf %}
 {% block content %}
 
 <h1>Preview your submission</h1>
@@ -15 +15 @@
 
 <p>Security hash: {{ hash_value }}</p>
 
-<form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 {% for field in form %}{{ field.as_hidden }}
 {% endfor %}
 <input type="hidden" name="{{ stage_field }}" value="2" />
@@ -25 +25 @@
 
 <h1>Or edit it again</h1>
 
-<form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 <table>
 {{ form }}
 </table>

django/contrib/formtools/templates/formtools/form.html

@@ -1 +1 @@
 {% extends "base.html" %}
-
+{% load csrf %}
 {% block content %}
 
 {% if form.errors %}<h1>Please correct the following errors</h1>{% else %}<h1>Submit</h1>{% endif %}
 
-<form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 <table>
 {{ form }}
 </table>

django/contrib/comments/templates/comments/approve.html

@@ -1 +1 @@
 {% extends "comments/base.html" %}
-{% load i18n %}
+{% load i18n csrf %}
 
 {% block title %}{% trans "Approve a comment" %}{% endblock %}
 
 {% block content %}
   <h1>{% trans "Really make this comment public?" %}</h1>
   <blockquote>{{ comment|linebreaks }}</blockquote>
-  <form action="." method="post">
+  <form action="." method="post">{% csrf_token %}
     <input type="hidden" name="next" value="{{ next }}" id="next" />
     <p class="submit">
       <input type="submit" name="submit" value="{% trans "Approve" %}" /> or <a href="{{ comment.get_absolute_url }}">cancel</a>

django/contrib/comments/templates/comments/preview.html

@@ -1 +1 @@
 {% extends "comments/base.html" %}
-{% load i18n %}
+{% load i18n csrf %}
 
 {% block title %}{% trans "Preview your comment" %}{% endblock %}
 
 {% block content %}
   {% load comments %}
-  <form action="{% comment_form_target %}" method="post">
+  <form action="{% comment_form_target %}" method="post">{% csrf_token %}
     {% if form.errors %}
     <h1>{% blocktrans count form.errors|length as counter %}Please correct the error below{% plural %}Please correct the errors below{% endblocktrans %}</h1>
     {% else %}

django/contrib/comments/templates/comments/delete.html

@@ -1 +1 @@
 {% extends "comments/base.html" %}
-{% load i18n %}
+{% load i18n csrf %}
 
 {% block title %}{% trans "Remove a comment" %}{% endblock %}
 
 {% block content %}
 <h1>{% trans "Really remove this comment?" %}</h1>
   <blockquote>{{ comment|linebreaks }}</blockquote>
-  <form action="." method="post">
+  <form action="." method="post">{% csrf_token %}
     <input type="hidden" name="next" value="{{ next }}" id="next" />
     <p class="submit">
     <input type="submit" name="submit" value="{% trans "Remove" %}" /> or <a href="{{ comment.get_absolute_url }}">cancel</a>

django/contrib/comments/templates/comments/form.html

@@ -1 @@
-{% load comments i18n %}
-<form action="{% comment_form_target %}" method="post">
+{% load comments i18n csrf %}
+<form action="{% comment_form_target %}" method="post">{% csrf_token %}
   {% for field in form %}
     {% if field.is_hidden %}
       {{ field }}

django/contrib/comments/templates/comments/moderation_queue.html

@@ -1 +1 @@
 {% extends "admin/change_list.html" %}
-{% load adminmedia i18n %}
+{% load adminmedia i18n csrf %}
 
 {% block title %}{% trans "Comment moderation queue" %}{% endblock %}
 
@@ -44 +44 @@
       {% for comment in comments %}
         <tr class="{% cycle 'row1' 'row2' %}">
           <td class="actions">
-            <form action="{% url comments-approve comment.pk %}" method="post">
+            <form action="{% url comments-approve comment.pk %}" method="post">{% csrf_token %}
               <input type="hidden" name="next" value="{% url comments-moderation-queue %}" />
               <input class="approve submit" type="submit" name="submit" value="{% trans "Approve" %}" />
             </form>
-            <form action="{% url comments-delete comment.pk %}" method="post">
+            <form action="{% url comments-delete comment.pk %}" method="post">{% csrf_token %}
               <input type="hidden" name="next" value="{% url comments-moderation-queue %}" />
               <input class="remove submit" type="submit" name="submit" value="{% trans "Remove" %}" />
             </form>

django/contrib/comments/templates/comments/flag.html

@@ -1 +1 @@
 {% extends "comments/base.html" %}
-{% load i18n %}
+{% load i18n csrf %}
 
 {% block title %}{% trans "Flag this comment" %}{% endblock %}
 
 {% block content %}
 <h1>{% trans "Really flag this comment?" %}</h1>
   <blockquote>{{ comment|linebreaks }}</blockquote>
-  <form action="." method="post">
+  <form action="." method="post">{% csrf_token %}
     <input type="hidden" name="next" value="{{ next }}" id="next" />
     <p class="submit">
     <input type="submit" name="submit" value="{% trans "Flag" %}" /> or <a href="{{ comment.get_absolute_url }}">cancel</a>

django/contrib/admin/templates/admin/change_list.html

@@ -1 +1 @@
 {% extends "admin/base_site.html" %}
-{% load adminmedia admin_list i18n %}
+{% load adminmedia admin_list i18n csrf %}
 
 {% block extrastyle %}
   {{ block.super }}
@@ -64 +64 @@
       {% endblock %}
       
       {% if cl.formset %}
-        <form action="" method="post"{% if cl.formset.is_multipart %} enctype="multipart/form-data"{% endif %}>
+        <form action="" method="post"{% if cl.formset.is_multipart %} enctype="multipart/form-data"{% endif %}>{% csrf_token %}
         {{ cl.formset.management_form }}
       {% endif %}
 

django/contrib/admin/templates/admin/template_validator.html

@@ -1 +1 @@
 {% extends "admin/base_site.html" %}
-
+{% load csrf %}
 {% block content %}
 
 <div id="content-main">
 
-<form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 
 {% if form.errors %}
 <p class="errornote">Your template had {{ form.errors|length }} error{{ form.errors|pluralize }}:</p>

django/contrib/admin/templates/admin/auth/user/change_password.html

@@ -1 +1 @@
 {% extends "admin/base_site.html" %}
-{% load i18n admin_modify adminmedia %}
+{% load i18n admin_modify adminmedia csrf %}
 {% block extrahead %}{{ block.super }}
 <script type="text/javascript" src="../../../../jsi18n/"></script>
 {% endblock %}
@@ -14 +14 @@
 </div>
 {% endif %}{% endblock %}
 {% block content %}<div id="content-main">
-<form action="{{ form_url }}" method="post" id="{{ opts.module_name }}_form">{% block form_top %}{% endblock %}
+<form action="{{ form_url }}" method="post" id="{{ opts.module_name }}_form">{% csrf_token %}{% block form_top %}{% endblock %}
 <div>
 {% if is_popup %}<input type="hidden" name="_popup" value="1" />{% endif %}
 {% if form.errors %}

django/contrib/admin/templates/admin/login.html

@@ -1 +1 @@
 {% extends "admin/base_site.html" %}
-{% load i18n %}
+{% load i18n csrf %}
 
 {% block extrastyle %}{% load adminmedia %}{{ block.super }}<link rel="stylesheet" type="text/css" href="{% admin_media_prefix %}css/login.css" />{% endblock %}
 
@@ -14 +14 @@
 <p class="errornote">{{ error_message }}</p>
 {% endif %}
 <div id="content-main">
-<form action="{{ app_path }}" method="post" id="login-form">
+<form action="{{ app_path }}" method="post" id="login-form">{% csrf_token %}
   <div class="form-row">
     <label for="id_username">{% trans 'Username:' %}</label> <input type="text" name="username" id="id_username" />
   </div>

django/contrib/admin/templates/admin/change_form.html

@@ -1 +1 @@
 {% extends "admin/base_site.html" %}
-{% load i18n admin_modify adminmedia %}
+{% load i18n admin_modify adminmedia csrf %}
 
 {% block extrahead %}{{ block.super }}
 <script type="text/javascript" src="../../../jsi18n/"></script>
@@ -29 +29 @@
   </ul>
 {% endif %}{% endif %}
 {% endblock %}
-<form {% if has_file_field %}enctype="multipart/form-data" {% endif %}action="{{ form_url }}" method="post" id="{{ opts.module_name }}_form">{% block form_top %}{% endblock %}
+<form {% if has_file_field %}enctype="multipart/form-data" {% endif %}action="{{ form_url }}" method="post" id="{{ opts.module_name }}_form">{% csrf_token %}{% block form_top %}{% endblock %}
 <div>
 {% if is_popup %}<input type="hidden" name="_popup" value="1" />{% endif %}
 {% if save_on_top %}{% submit_row %}{% endif %}

django/contrib/admin/templates/admin/delete_confirmation.html

@@ -1 +1 @@
 {% extends "admin/base_site.html" %}
-{% load i18n %}
+{% load i18n csrf %}
 
 {% block breadcrumbs %}
 <div class="breadcrumbs">
@@ -22 +22 @@
 {% else %}
     <p>{% blocktrans with object as escaped_object %}Are you sure you want to delete the {{ object_name }} "{{ escaped_object }}"? All of the following related items will be deleted:{% endblocktrans %}</p>
     <ul>{{ deleted_objects|unordered_list }}</ul>
-    <form action="" method="post">
+    <form action="" method="post">{% csrf_token %}
     <div>
     <input type="hidden" name="post" value="yes" />
     <input type="submit" value="{% trans "Yes, I'm sure" %}" />

django/contrib/admin/templates/registration/password_reset_confirm.html

@@ -1 +1 @@
 {% extends "admin/base_site.html" %}
-{% load i18n %}
+{% load i18n csrf %}
 
 {% block breadcrumbs %}<div class="breadcrumbs"><a href="../">{% trans 'Home' %}</a> &rsaquo; {% trans 'Password reset confirmation' %}</div>{% endblock %}
 
@@ -13 +13 @@
 
 <p>{% trans "Please enter your new password twice so we can verify you typed it in correctly." %}</p>
 
-<form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 {{ form.new_password1.errors }}
 <p class="aligned wide"><label for="id_new_password1">{% trans 'New password:' %}</label>{{ form.new_password1 }}</p>
 {{ form.new_password2.errors }}

django/contrib/admin/templates/registration/password_reset_form.html

@@ -1 +1 @@
 {% extends "admin/base_site.html" %}
-{% load i18n %}
+{% load i18n csrf %}
 
 {% block breadcrumbs %}<div class="breadcrumbs"><a href="../">{% trans 'Home' %}</a> &rsaquo; {% trans 'Password reset' %}</div>{% endblock %}
 
@@ -11 +11 @@
 
 <p>{% trans "Forgotten your password? Enter your e-mail address below, and we'll e-mail instructions for setting a new one." %}</p>
 
-<form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 {{ form.email.errors }}
 <p><label for="id_email">{% trans 'E-mail address:' %}</label> {{ form.email }} <input type="submit" value="{% trans 'Reset my password' %}" /></p>
 </form>

django/contrib/admin/templates/registration/password_change_form.html

@@ -1 +1 @@
 {% extends "admin/base_site.html" %}
-{% load i18n %}
+{% load i18n csrf %}
 {% block userlinks %}{% url django-admindocs-docroot as docsroot %}{% if docsroot %}<a href="{{ docsroot }}">{% trans 'Documentation' %}</a> / {% endif %} {% trans 'Change password' %} / <a href="../logout/">{% trans 'Log out' %}</a>{% endblock %}
 {% block breadcrumbs %}<div class="breadcrumbs"><a href="../">{% trans 'Home' %}</a> &rsaquo; {% trans 'Password change' %}</div>{% endblock %}
 
@@ -11 +11 @@
 
 <p>{% trans "Please enter your old password, for security's sake, and then enter your new password twice so we can verify you typed it in correctly." %}</p>
 
-<form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 
 {{ form.old_password.errors }}
 <p class="aligned wide"><label for="id_old_password">{% trans 'Old password:' %}</label>{{ form.old_password }}</p>

django/contrib/csrf/middleware.py

@@ -13 +13 @@
     from django.utils.functional import wraps  # Python 2.3, 2.4 fallback.
 
 from django.conf import settings
-from django.http import HttpResponseForbidden
+from django.core.urlresolvers import get_callable
 from django.utils.hashcompat import md5_constructor
 from django.utils.safestring import mark_safe
 
-_ERROR_MSG = mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>')
-
 _POST_FORM_RE = \
     re.compile(r'(<form\W[^>]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)', re.IGNORECASE)
 
 _HTML_TYPES = ('text/html', 'application/xhtml+xml')
 
+def _get_failure_view():
+    """
+    Returns the view to be used for CSRF rejections
+    """
+    return get_callable(settings.CSRF_FAILURE_VIEW)
+
+def get_token(request):
+    """
+    Returns the the CSRF token required for a session,
+    or None if there is no session active.
+    """
+    try:
+        session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
+    except KeyError:
+        # No session
+        return None
+
+    return _make_token(session_id)
+
 def _make_token(session_id):
     return md5_constructor(settings.SECRET_KEY + session_id).hexdigest()
 
@@ -40 +57 @@
             if request.is_ajax():
                 return None
 
-            try:
-                session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
-            except KeyError:
+            csrf_token = get_token(request)
+            if csrf_token is None:
                 # No session, no check required
                 return None
 
-            csrf_token = _make_token(session_id)
             # check incoming token
             try:
                 request_csrf_token = request.POST['csrfmiddlewaretoken']
             except KeyError:
-                return HttpResponseForbidden(_ERROR_MSG)
+                return _get_failure_view()(request)
 
             if request_csrf_token != csrf_token:
-                return HttpResponseForbidden(_ERROR_MSG)
+                return _get_failure_view()(request)
 
         return None
 

django/contrib/csrf/views.py

@@ +1 @@
+from django.http import HttpResponseForbidden
+from django.utils.safestring import mark_safe
+
+_ERROR_MSG = mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>')
+
+def csrf_failure(request):
+    """
+    Default view used when request fails CSRF protection
+    """
+    return HttpResponseForbidden(_ERROR_MSG)

django/contrib/csrf/tests.py

@@ -3 +3 @@
 from django.test import TestCase
 from django.http import HttpRequest, HttpResponse, HttpResponseForbidden
 from django.contrib.csrf.middleware import CsrfMiddleware, _make_token, csrf_exempt
+from django.contrib.csrf.context_processors import csrf
 from django.conf import settings
+from django.template import RequestContext, Template
 
-
 def post_form_response():
     resp = HttpResponse(content="""
 <html><body><form method="POST"><input type="text" /></form></body></html>
@@ -142 +143 @@
         req.META['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest'
         req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
         self.assertEquals(None, req2)
+
+    def _context_instance(self, req):
+        return RequestContext(req, processors=[csrf])
+
+    def test_token_node_no_session(self):
+        """
+        Check that CsrfTokenNode works when no session active
+        """
+        req = self._get_GET_no_session_request()
+        context = self._context_instance(req)
+        template = Template("{% load csrf %}{% csrf_token %}")
+        self.assertEquals(u"", template.render(context))
+
+    def test_token_node_no_session(self):
+        """
+        Check that CsrfTokenNode works when a session is active
+        """
+        req = self._get_GET_session_request()
+        context = self._context_instance(req)
+        template = Template("{% load csrf %}{% csrf_token %}")
+        rendered = template.render(context)
+        self.assertNotEqual(u"", rendered)
+        expected = ("name='csrfmiddlewaretoken' value='%s'" % _make_token(self._session_id))
+        self.failUnless(expected in rendered)

django/contrib/csrf/templatetags/csrf.py

@@ +1 @@
+from django import template
+from django.utils.safestring import mark_safe
+
+register = template.Library()
+
+class CsrfTokenNode(template.Node):
+    def render(self, context):
+        csrf_token = context.get('csrf_token', None)
+        if csrf_token:
+            if csrf_token == 'NOTNEEDED':
+                return mark_safe(u"")
+            else:
+                return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % (csrf_token))
+        else:
+            # It's very probable that the token is missing because of
+            # misconfiguration, so we raise a warning
+            from django.conf import settings
+            if settings.DEBUG:
+                import warnings
+                warnings.warn("A {% csrf_token %} was used in a template, but the context did not provide the value.  This is usually caused by not having 'django.contrib.csrf.context_processors.csrf' in TEMPLATE_CONTEXT_PROCESSORS.")
+            return u''
+
+def csrf_token(parser, token):
+    return CsrfTokenNode()
+register.tag(csrf_token)

django/contrib/csrf/context_processors.py

@@ +1 @@
+from django.contrib.csrf.middleware import get_token
+
+def csrf(request):
+    """
+    Context processor that provides a CSRF token, or the string
+    'NOTNEEDED' if it is not needed
+    """
+    token = get_token(request)
+    if token is None:
+        # In order to be able to provide debugging info in the case of
+        # misconfiguration, we use a sentinel value instead of an empty
+        # dict.
+        return {'csrf_token':'NOTNEEDED'}
+    else:
+        return {'csrf_token': token}
+

tests/regressiontests/admin_views/tests.py

@@ -745 +745 @@
         # 2 management hidden fields = 2
         # main form submit button = 1
         # search field and search submit button = 2
-        # 6 + 2 + 1 + 2 = 11 inputs
-        self.failUnlessEqual(response.content.count("<input"), 11)
+        # csrf hidden field = 1
+        # 6 + 2 + 1 + 2 + 1 = 12 inputs
+        self.failUnlessEqual(response.content.count("<input"), 12)
         # 1 select per object = 3 selects
         self.failUnlessEqual(response.content.count("<select"), 3)
     

tests/runtests.py

@@ -30 +30 @@
     'django.contrib.sessions',
     'django.contrib.comments',
     'django.contrib.admin',
+    'django.contrib.csrf',
 ]
 
 def get_test_models():

docs/ref/contrib/csrf.txt

@@ -7 +7 @@
 .. module:: django.contrib.csrf
    :synopsis: Protects against Cross Site Request Forgeries
 
-The CsrfMiddleware classes provides easy-to-use protection against
-`Cross Site Request Forgeries`_.  This type of attack occurs when a
-malicious Web site creates a link or form button that is intended to
-perform some action on your Web site, using the credentials of a
-logged-in user who is tricked into clicking on the link in their
-browser.
+The CSRF middleware and template tag provides easy-to-use protection
+against `Cross Site Request Forgeries`_.  This type of attack occurs
+when a malicious Web site creates a link or form button that is
+intended to perform some action on your Web site, using the
+credentials of a logged-in user who is tricked into clicking on the
+link in their browser.
 
 The first defense against CSRF attacks is to ensure that GET requests
 are side-effect free.  POST requests can then be protected by adding
-these middleware into your list of installed middleware.
+these middleware into your list of installed middleware following the
+steps below.
 
+.. versionadded:: 1.1
+    The functionality described here is depended on by the 'contrib'
+    apps, including the admin, so usage steps 1, 2 and 4.1.1 below are
+    **required** for these apps to function.
+
 .. _Cross Site Request Forgeries: http://www.squarefree.com/securitytips/web-developers.html#CSRF
 
 How to use it
 =============
+.. versionchanged:: 1.1
+    The template tag functionality (the recommended way to use this)
+    was added in version 1.1. The previous method (still available) is
+    described under 'Legacy method'.
 
-Add the middleware
-``'django.contrib.csrf.middleware.CsrfViewMiddleware'`` and
-``'django.contrib.csrf.middleware.CsrfResponseMiddleware'`` to your
-list of middleware classes,
-:setting:`MIDDLEWARE_CLASSES`. ``CsrfResponseMiddleware`` needs to
-process the response after the ``SessionMiddleware``, so must come
-before it in the list.  It also must process the response before
-things like compression happen to the response, so it must come after
-``GZipMiddleware`` in the list.
+Follow these steps:
 
-The ``CsrfMiddleware`` class, which combines the two classes, is also
-available, for backwards compatibility with Django 1.0.
+    1. Add the middleware
+       ``'django.contrib.csrf.middleware.CsrfViewMiddleware'`` to your
+       list of middleware classes, :setting:`MIDDLEWARE_CLASSES`.
 
-.. versionchanged:: 1.1
-    previous versions of Django did not provide these two components
-    of ``CsrfMiddleware`` as described above.
+    2. Add ``'django.contrib.csrf'`` to your :setting:`INSTALLED_APPS`.
 
+    3. In any template that uses a POST form, first load the 'csrf'
+       template tag library::
+
+           {% load csrf %}
+
+       Then use the ``csrf_token`` tag inside the ``<form>`` element, e.g.::
+
+           <form action="" method="POST">{% csrf_token %}
+
+    4. In the corresponding view functions, ensure that the
+       ``'django.contrib.csrf.context_processors.csrf'`` is being
+       used. Usually, this can be done in one of two ways:
+
+       1. Using RequestContext:
+
+          1. Ensure ``'django.contrib.csrf.context_processors.csrf'``
+             is present in your :setting:`TEMPLATE_CONTEXT_PROCESSORS`
+             setting. It is present by default.
+
+          2. Use ``RequestContext`` as the context instance in the
+             relevant views. If you are using generic views or contrib
+             apps, you are covered already.
+
+       2. Manually import and use the processor to generate the CSRF
+          token and add it to the template context. e.g.::
+
+              from django.contrib.csrf.context_processors import csrf
+              from django.template import Context
+              from django.shortcuts import render_to_response
+              def my_view(request):
+                  c = Context()
+                  c.update(csrf(request))
+                  return render_to_response("a_template.html", context_instance=c)
+
+    5. Ensure that any views which create a new session do not in the
+       same response present a POST form.  Often this is achieved by
+       doing a redirect.
+
+       The reason for this is as follows: the CSRF
+       token that is inserted by the ``csrf_token`` tag is calculated
+       on the basis of the ID of an existing session (which is known
+       from the cookies attached to the request).  When a new session
+       is created, only the outgoing response object is affected,
+       which the template tag does not have access to, so the template
+       tag would produce an incorrect token in this case, resulting in
+       an error when the user tries to submit the form.
+
+Legacy method
+-------------
+
+In Django 1.0, the template tag did not exist.  Instead, a
+post-processing middleware that re-wrote POST forms to include the
+CRSF token was used.  This is still available as
+``CsrfResponseMiddleware``, and it can be used by following these
+steps:
+
+    1. Follow step 1 above to install ``CsrfViewMiddleware``.
+
+    2. Add ``'django.contrib.csrf.middleware.CsrfResponseMiddleware'``
+       to your :setting:`MIDDLEWARE_CLASSES` setting.
+
+       ``CsrfResponseMiddleware`` needs to process the response after
+       the ``SessionMiddleware``, so must come before it in the list.
+       It also must process the response before things like
+       compression happen to the response, so it must come after
+       ``GZipMiddleware`` in the list.
+
+Use of the ``CsrfResponseMiddleware`` is not recommended, but it can
+be used as an interim measure until applications have been updated to use
+the ``{% crsf_token %}`` tag.
+
+Django 1.0 provided a single ``CsrfMiddleware`` class.  This is also
+still available for backwards compatibility.  It combines the
+functions of the two new middleware.
+
+
 Exceptions
 ----------
 
@@ -66 +143 @@
 request sent with "X-Requested-With: XMLHttpRequest" is automatically
 exempt. (See the next section.)
 
+Rejected requests
+=================
+
+By default, when an incoming request fails the checks that
+``CsrfViewMiddleware`` performs, a '403 Forbidden' response is sent to
+the user.  This should only be seen usually when there is a genuine
+Cross Site Request Forgery, or when due to a programmer error the CSRF
+token has not been included with a POST form.
+
+No logging is done, and the error message is not very friendly, so you
+may want to provide your own page for handling this condition.  To do
+this, simply set the :setting:`CSRF_FAILURE_VIEW` setting to a dotted
+path to your own view function.
+
 How it works
 ============
 
-The CSRF middleware do two things:
+The CSRF protection requires two things:
 
-1. It modifies outgoing requests by adding a hidden form field to all
-   'POST' forms, with the name 'csrfmiddlewaretoken' and a value which is
-   a hash of the session ID plus a secret. If there is no session ID set,
-   this modification of the response isn't done, so there is very little
-   performance penalty for those requests that don't have a session.
-   (This is done by ``CsrfResponseMiddleware``).
+1. A hidden form field with the name 'csrfmiddlewaretoken' must be
+   added to all outgoing POST forms.  The value of this field is a
+   hash of the session ID plus a secret. If there is no session ID
+   set, this modification of the response isn't done, so there is very
+   little performance penalty for those requests that don't have a
+   session.
 
-2. On all incoming POST requests that have the session cookie set, it
-   checks that the 'csrfmiddlewaretoken' is present and correct. If it
-   isn't, the user will get a 403 error. (This is done by
-   ``CsrfViewMiddleware``)
+   This part is done by the template tag (and with the
+   legacy method, it is done by ``CsrfResponseMiddleware``).
 
+2. On all incoming POST requests that have the session cookie set, the
+   'csrfmiddlewaretoken' must be present and correct. If it isn't, the
+   user will get a 403 error.
+
+   This check is done by ``CsrfViewMiddleware``.
+
 This ensures that only forms that have originated from your Web site
 can be used to POST data back.
 
@@ -117 +212 @@
 have a custom authentication system that manually sets cookies and the
 like, it won't help you.
 
-If your app creates HTML pages and forms in some unusual way, (e.g.
-it sends fragments of HTML in JavaScript document.write statements)
-you might bypass the filter that adds the hidden field to the form,
-in which case form submission will always fail.  It may still be possible
-to use the middleware, provided you can find some way to get the
-CSRF token and ensure that is included when your form is submitted.
+If you are using ``CsrfResponseMiddleware`` and your app creates HTML
+pages and forms in some unusual way, (e.g.  it sends fragments of HTML
+in JavaScript document.write statements) you might bypass the filter
+that adds the hidden field to the form, in which case form submission
+will always fail.  It may still be possible to use the middleware,
+provided you can find some way to get the CSRF token and ensure that
+is included when your form is submitted.

docs/ref/settings.txt

@@ -146 +146 @@
 
 .. setting:: DATABASE_ENGINE
 
+CSRF_FAILURE_VIEW
+-----------------
+
+Default: ``'django.contrib.csrf.views.csrf_failure'``
+
+The name of the view function to be used when an incoming request
+is rejected by the CSRF protection. See :ref:`ref-contrib-csrf`.
+
 DATABASE_ENGINE
 ---------------