id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
10816	CsrfMiddleware false positive after session.flush()	Glenn Maynard	Luke Plant	"If a user loads a form, logs in in another window, and then submits the form, CSRF triggers.  The same happens if you're on a page with a form, click a login button, and then browse back to the form and submit it.  The same also happens if the user logs out and then logs in as a different user, and submits an old form.

This happens because contrib.auth.login and logout reset the session, which changes the CSRF security token.

(Is submitting a form in this situation a good idea?  That's up to the site; CsrfMiddleware should not cause forms to fail in non-CSRF situations.)

CSRFMiddleware should set its own random cookie, independent of the session cookie, and leave it there indefinitely; the CSRF cookie in a form will always remain valid, regardless of the session.  (This will also have the side-effect of making CSRF not depend on sessions, which doesn't hurt.)

I can implement this, but I'll wait for feedback first.
"		closed	Contrib apps	dev		duplicate	csrf sessions		Unreviewed	1	0	0	0	0	0