mirror of
https://github.com/django/django.git
synced 2024-12-23 01:25:58 +00:00
Refs #28699 -- Clarified CSRF middleware ordering in relation to RemoteUserMiddleware.
This commit is contained in:
parent
02ba48bc23
commit
9446950470
@ -557,6 +557,10 @@ Here are some hints about the ordering of various Django middleware classes:
|
|||||||
Before any view middleware that assumes that CSRF attacks have been dealt
|
Before any view middleware that assumes that CSRF attacks have been dealt
|
||||||
with.
|
with.
|
||||||
|
|
||||||
|
Before :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`, or any
|
||||||
|
other authentication middleware that may perform a login, and hence rotate
|
||||||
|
the CSRF token, before calling down the middleware chain.
|
||||||
|
|
||||||
After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.
|
After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.
|
||||||
|
|
||||||
#. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`
|
#. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`
|
||||||
|
Loading…
Reference in New Issue
Block a user