CsrfMiddleware false positive after session.flush()
|Reported by:||Glenn Maynard||Owned by:||Luke Plant|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
If a user loads a form, logs in in another window, and then submits the form, CSRF triggers. The same happens if you're on a page with a form, click a login button, and then browse back to the form and submit it. The same also happens if the user logs out and then logs in as a different user, and submits an old form.
This happens because contrib.auth.login and logout reset the session, which changes the CSRF security token.
(Is submitting a form in this situation a good idea? That's up to the site; CsrfMiddleware should not cause forms to fail in non-CSRF situations.)
CSRFMiddleware should set its own random cookie, independent of the session cookie, and leave it there indefinitely; the CSRF cookie in a form will always remain valid, regardless of the session. (This will also have the side-effect of making CSRF not depend on sessions, which doesn't hurt.)
I can implement this, but I'll wait for feedback first.