id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
32916	"CsrfViewMiddleware's request.META[""CSRF_COOKIE_USED""] and request.csrf_cookie_needs_reset can be combined"	Chris Jerdonek	Chris Jerdonek	"In `CsrfViewMiddleware`, `request.META[""CSRF_COOKIE_USED""]` and `request.csrf_cookie_needs_reset` are both used for the same purpose. Namely, they are inspected inside `CsrfViewMiddleware.process_response()` to determine whether a cookie should be sent (though the logic in the method is currently buggy): https://github.com/django/django/blob/6f60fa97b0b501ef7cc77e16392654bf27ec8db3/django/middleware/csrf.py#L440-L445

Combining these two things would simplify `CsrfViewMiddleware`. This could be done after #32902, which fixes the bugginess mentioned above.

My suggestion would be to replace both of these with a single `request.META` key of `request.META[""CSRF_COOKIE_NEEDS_RESET""]`. The reason is that the `request.META` dict is more visible and easier to debug than a custom request attribute, and it pairs more nicely with `request.META[""CSRF_COOKIE""]`. Also, using the current key of `""CSRF_COOKIE_USED""` would be misleading because there are cases where the cookie is queued for reset even if it hasn't been used in the request.
"	Cleanup/optimization	closed	CSRF	dev	Normal	fixed		Shai Berger Florian Apolloner	Ready for checkin	1	0	0	0	0	0