id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
13448	CsrfResponseMiddleware breaks the Etag in CommonMiddleware	defaultwombat	nobody	"If the !CsrfResponseMiddleware.process_response adds the csrf_token field to the content the etag of the response doesn't get updated.

The !CommonMiddleware.process_response however only generates a new etag if it doesn't already exist.

So the comparison between HTTP_IF_NONE_MATCH and Etag is based on a wrong etag and might lead to a wrong !HttpResponseNotModified.

My problem was that I sometimes got a 403 from the csrf-middleware when i added or changed things in the admin site.

Although I haven't resolved the whole puzzle yet, the main pieces are:
 * When you use a admin form the etag is generated by the never_cache decorator. 
 * The csrf middleware adds the csrf_token field to the form
 * If your browser doesn't have the page cached everything is fine
 * When you logout and login again and you get a new session_id
 * If you now use the same admin form again the common middleware doesn't notice any changes beween the HTTP_IF_NONE_MATCH and the etag.
 * So it sends a !HttpResponseNotModified which let the browser use the cached version of the page.
 * As the csrf_token in the cached page is based on a different session_id you end up with a 403 when you try to submit the form.

"		closed	HTTP handling	1.1		fixed	csrf etag middleware never_cache	kanu@…	Unreviewed	0	0	0	0	0	0