id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
32902	CsrfViewMiddleware.process_response()'s csrf_cookie_needs_reset and csrf_cookie_set logic isn't right	Chris Jerdonek	Chris Jerdonek	"I noticed that the `csrf_cookie_needs_reset` and `csrf_cookie_set` logic inside `CsrfViewMiddleware.process_response()` isn't right: https://github.com/django/django/blob/fa35c8bdbc6aca65d94d6280fa463d5bc7baa5c0/django/middleware/csrf.py#L439-L451

Consequently--

1. `self._set_token(request, response)` can get called twice in some circumstances, even if `response.csrf_cookie_set` is true at the beginning, and
2. the cookie can fail to be reset in some circumstances, even if `csrf_cookie_needs_reset` is true at the beginning.

(I previously let `security@djangoproject.com` know about this issue, and they said it was okay to resolve this publicly.)
"	Bug	closed	CSRF	dev	Normal	fixed		Shai Berger Florian Apolloner	Ready for checkin	1	0	0	0	0	0