mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

[3.0.x] Refs #28699 -- Clarified CSRF middleware ordering in relation to RemoteUserMiddleware.

Browse Source 
Backport of 9446950470 from master
This commit is contained in:
Carlton Gibson
2019-10-02 13:11:03 +02:00
committed by Mariusz Felisiak
parent 516200c09e
commit b0b98fcacf
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/ref/middleware.txt
View File

@@ -557,6 +557,10 @@ Here are some hints about the ordering of various Django middleware classes:
Before any view middleware that assumes that CSRF attacks have been dealt
with.
Before :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`, or any
other authentication middleware that may perform a login, and hence rotate
the CSRF token, before calling down the middleware chain.
After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.
#. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`