id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
23040	The CSRF protection seems to ignore the HTTP_X_CSRFTOKEN header and csrfmiddlewaretoken POST value in case the CSRF cookie is missing.	krystian@…	nobody	"I have AJAX code which makes POST requests to a Django 1.6.4 application. The view has CSRF protection enabled via the django.middleware.csrf.CsrfViewMiddleware. If I do not pass a cookie but do pass the HTTP_X_CSRFTOKEN, it fails.

I am looking at the code of django.middleware.csrf.CsrfViewMiddleware and I see that on line 161 it checks to see if if csrf_token is None: after getting it from the cookie. If it is None, it returns. Only afterwards does it check the csrfmiddlewaretoken param and the HTTP_X_CSRFTOKEN request header. 

This looks incorrect and the check for a missing csrf_token value should only be made after checking all the possible places for where it could be found."	Bug	closed	CSRF	1.6	Normal	invalid	csrf	Florian Apolloner	Unreviewed	0	0	0	0	1	0