id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 10816 CsrfMiddleware false positive after session.flush() Glenn Maynard Luke Plant "If a user loads a form, logs in in another window, and then submits the form, CSRF triggers. The same happens if you're on a page with a form, click a login button, and then browse back to the form and submit it. The same also happens if the user logs out and then logs in as a different user, and submits an old form. This happens because contrib.auth.login and logout reset the session, which changes the CSRF security token. (Is submitting a form in this situation a good idea? That's up to the site; CsrfMiddleware should not cause forms to fail in non-CSRF situations.) CSRFMiddleware should set its own random cookie, independent of the session cookie, and leave it there indefinitely; the CSRF cookie in a form will always remain valid, regardless of the session. (This will also have the side-effect of making CSRF not depend on sessions, which doesn't hurt.) I can implement this, but I'll wait for feedback first. " closed Contrib apps dev duplicate csrf sessions Unreviewed 1 0 0 0 0 0