mirror of
https://github.com/django/django.git
synced 2025-10-24 06:06:09 +00:00
Fixed bug causing CSRF token not to rotate on login.
Thanks Gavin McQuillan for the report.
This commit is contained in:
@@ -531,7 +531,6 @@ class LoginTest(AuthViewsTestCase):
|
|||||||
CsrfViewMiddleware().process_view(req, login_view, (), {})
|
CsrfViewMiddleware().process_view(req, login_view, (), {})
|
||||||
req.META["SERVER_NAME"] = "testserver" # Required to have redirect work in login view
|
req.META["SERVER_NAME"] = "testserver" # Required to have redirect work in login view
|
||||||
req.META["SERVER_PORT"] = 80
|
req.META["SERVER_PORT"] = 80
|
||||||
req.META["CSRF_COOKIE_USED"] = True
|
|
||||||
resp = login_view(req)
|
resp = login_view(req)
|
||||||
resp2 = CsrfViewMiddleware().process_response(req, resp)
|
resp2 = CsrfViewMiddleware().process_response(req, resp)
|
||||||
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, None)
|
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, None)
|
||||||
|
@@ -56,7 +56,10 @@ def rotate_token(request):
|
|||||||
Changes the CSRF token in use for a request - should be done on login
|
Changes the CSRF token in use for a request - should be done on login
|
||||||
for security purposes.
|
for security purposes.
|
||||||
"""
|
"""
|
||||||
request.META["CSRF_COOKIE"] = _get_new_csrf_key()
|
request.META.update({
|
||||||
|
"CSRF_COOKIE_USED": True,
|
||||||
|
"CSRF_COOKIE": _get_new_csrf_key(),
|
||||||
|
})
|
||||||
|
|
||||||
|
|
||||||
def _sanitize_token(token):
|
def _sanitize_token(token):
|
||||||
|
Reference in New Issue
Block a user