from django.http import HttpResponse from django.middleware.csrf import get_token, rotate_token from django.template import Context, RequestContext, Template from django.template.context_processors import csrf from django.utils.decorators import decorator_from_middleware from django.utils.deprecation import MiddlewareMixin from django.views.decorators.csrf import csrf_protect, ensure_csrf_cookie class TestingHttpResponse(HttpResponse): """ A version of HttpResponse that stores what cookie values are passed to set_cookie() when CSRF_USE_SESSIONS=False. """ def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) # This is a list of the cookie values passed to set_cookie() over # the course of the request-response. self._cookies_set = [] def set_cookie(self, key, value, **kwargs): super().set_cookie(key, value, **kwargs) self._cookies_set.append(value) class _CsrfCookieRotator(MiddlewareMixin): def process_response(self, request, response): rotate_token(request) return response csrf_rotating_token = decorator_from_middleware(_CsrfCookieRotator) @csrf_protect @csrf_rotating_token @ensure_csrf_cookie def sandwiched_rotate_token_view(request): """ This is a view that calls rotate_token() in process_response() between two calls to CsrfViewMiddleware.process_response(). """ return TestingHttpResponse('OK') def post_form_view(request): """Return a POST form (without a token).""" return HttpResponse(content="""