mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2024-12-22 17:16:24 +00:00
Code Issues 25 Releases Wiki Activity

Refs #28699 -- Clarified CSRF middleware ordering in relation to RemoteUserMiddleware.

Browse Source
This commit is contained in:
Carlton Gibson 2019-10-02 13:11:03 +02:00 committed by Mariusz Felisiak
parent 02ba48bc23
commit 9446950470
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/ref/middleware.txt
View File

@ -557,6 +557,10 @@ Here are some hints about the ordering of various Django middleware classes:
Before any view middleware that assumes that CSRF attacks have been dealt Before any view middleware that assumes that CSRF attacks have been dealt
with. with.
Before :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`, or any
other authentication middleware that may perform a login, and hence rotate
the CSRF token, before calling down the middleware chain.
After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`. After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.
#. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware` #. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`