Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

[1.5.x] Fixed bug causing CSRF token not to rotate on login.

Thanks Gavin McQuillan for the report.

Backport of ac4fec5 from master
  • Loading branch information...
commit 0fb2897c81c6c39f5d3a94ab50070c5fe8a602ad 1 parent 312ca5e
@timgraham timgraham authored
Showing with 4 additions and 2 deletions.
  1. +0 −1  django/contrib/auth/tests/views.py
  2. +4 −1 django/middleware/csrf.py
View
1  django/contrib/auth/tests/views.py
@@ -392,7 +392,6 @@ def test_login_csrf_rotate(self, password='password'):
CsrfViewMiddleware().process_view(req, login_view, (), {})
req.META["SERVER_NAME"] = "testserver" # Required to have redirect work in login view
req.META["SERVER_PORT"] = 80
- req.META["CSRF_COOKIE_USED"] = True
resp = login_view(req)
resp2 = CsrfViewMiddleware().process_response(req, resp)
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, None)
View
5 django/middleware/csrf.py
@@ -58,7 +58,10 @@ def rotate_token(request):
Changes the CSRF token in use for a request - should be done on login
for security purposes.
"""
- request.META["CSRF_COOKIE"] = _get_new_csrf_key()
+ request.META.update({
+ "CSRF_COOKIE_USED": True,
+ "CSRF_COOKIE": _get_new_csrf_key(),
+ })
def _sanitize_token(token):
Please sign in to comment.
Something went wrong with that request. Please try again.