id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 28699 REMOTE_USER issues with CSRF stephanm Colton Hicks "I have a problem with csrf protection starting with django 1.11.6 (django 1.11.5 has not this problem). I am doing all time exactly what is explained in https://docs.djangoproject.com/en/1.11/howto/auth-remote-user/ My settings: {{{#!python MIDDLEWARE = [ ""django.contrib.sessions.middleware.SessionMiddleware"", ""django.middleware.locale.LocaleMiddleware"", ""django.middleware.common.CommonMiddleware"", ""django.middleware.csrf.CsrfViewMiddleware"", ""django.contrib.auth.middleware.AuthenticationMiddleware"", # ""django.contrib.auth.middleware.RemoteUserMiddleware"", # own middleware because behind proxy we get HTTP_REMOTE_USER # instead of REMOTE_USER ""lib.auth.middleware.RemoteUserMiddlewareProxy"", ""django.contrib.messages.middleware.MessageMiddleware"", ""django.middleware.clickjacking.XFrameOptionsMiddleware"", ] AUTHENTICATION_BACKENDS = [ # ""django.contrib.auth.backends.RemoteUserBackend"", ""lib.auth.backends.RemoteUserBackendTooling"", # default is: ""django.contrib.auth.backends.ModelBackend"", ] }}} {{{#!python # content of lib.auth.middleware.RemoteUserMiddlewareProxy from django.contrib.auth.middleware import RemoteUserMiddleware class RemoteUserMiddlewareProxy(RemoteUserMiddleware): header = ""HTTP_REMOTE_USER"" }}} {{{#!python # content of lib.auth.backends.RemoteUserBackendTooling from django.contrib.auth.backends import RemoteUserBackend class RemoteUserBackendTooling(RemoteUserBackend): create_unknown_user = False def clean_username(self, username): """""" Performs any cleaning on the ""username"" prior to using it to get or create the user object. Returns the cleaned username. By default, returns the username unchanged. """""" if username.startswith(""IT\\""): username = username[3:] return username "" }}} My C# Application does a login by using the normal ""django.contrib.auth.backends.ModelBackend"", not using the REMOTE_USER ! It calls a function in my views.py: {{{#!python def auth_login_json(request): # code... # POST data with user & password }}} Now the csrf protection fails with an http error 403 (only with django 1.11.6, ... django 1.11.5 works) I found two possibilities to make it work again: 1. In MIDDLEWARE, comment out ""lib.auth.middleware.RemoteUserMiddlewareProxy"" but the other remote user login functionality is gone. 2. I add @csrf_exempt to auth_login_json function like this: {{{#!python @csrf_exempt def auth_login_json(request): # code... # POST data with user & password }}} Reading the changelog https://docs.djangoproject.com/en/1.11/releases/1.11.6/ I suppose this behaviour change comes with https://code.djangoproject.com/ticket/28488 My question: Was I wrong all the years or is this a bug?" Bug closed contrib.auth 1.11 Normal fixed remote user Florian Apolloner Carlton Gibson Ready for checkin 1 0 1 0 0 0