1
0
mirror of https://github.com/django/django.git synced 2024-12-23 01:25:58 +00:00

Refs #28699 -- Clarified CSRF middleware ordering in relation to RemoteUserMiddleware.

This commit is contained in:
Carlton Gibson 2019-10-02 13:11:03 +02:00 committed by Mariusz Felisiak
parent 02ba48bc23
commit 9446950470

View File

@ -557,6 +557,10 @@ Here are some hints about the ordering of various Django middleware classes:
Before any view middleware that assumes that CSRF attacks have been dealt Before any view middleware that assumes that CSRF attacks have been dealt
with. with.
Before :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`, or any
other authentication middleware that may perform a login, and hence rotate
the CSRF token, before calling down the middleware chain.
After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`. After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.
#. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware` #. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`