Changes between Version 1 and Version 2 of Ticket #28699, comment 16
- Timestamp:
- Dec 5, 2018, 7:34:44 AM (6 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #28699, comment 16
v1 v2 20 20 * But then `CsrfViewMiddleware.process_request()` calls `_get_token()` which fetches the **old** `CSRF_COOKIE`, from either the session or the cookie, and [https://github.com/django/django/blob/4d60261b2a77460b4c127c3d832518b95e11a0ac/django/middleware/csrf.py#L201 resets it on `request.META`]. 21 21 22 Unless I missed something, this is **negating the `rotate_token()` call**. Is that correct, or have I misread it? Given the docstring in `rotate_token()` isn't this a no-no? 22 Unless I missed something, this is **negating the `rotate_token()` call**. Is that correct, or have I misread it? Given the docstring in `rotate_token()` isn't this a no-no? If so, we can't recommend this. 23 23 24 24 On the other hand, if `CsrfViewMiddleware` is first then the `rotate_token()` call will replace whatever `CSRF_COOKIE` was previously set, and so the actual CSRF check in `process_view()` will necessarily fail. (As we must be seeing here.)