Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

Misc clarifications in csrf middleware comments

git-svn-id: bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
1 parent 43c2ed0 commit 905dba3694efa20de061d5350cd7de08ed0e5f46 @spookylukey spookylukey committed
Showing with 9 additions and 6 deletions.
  1. +9 −6 django/middleware/
15 django/middleware/
@@ -83,8 +83,11 @@ def accept():
request.META["CSRF_COOKIE"] = request.COOKIES[settings.CSRF_COOKIE_NAME]
cookie_is_new = False
except KeyError:
- # No cookie, so create one.
+ # No cookie, so create one. This will be sent with the next
+ # response.
request.META["CSRF_COOKIE"] = _get_new_csrf_key()
+ # Set a flag to allow us to fall back and allow the session id in
+ # place of a CSRF cookie for this request only.
cookie_is_new = True
if request.method == 'POST':
@@ -133,10 +136,10 @@ def accept():
return reject("Referer checking failed - %s does not match %s." %
(referer, good_referer))
- # If the user didn't already have a CSRF key, then accept the
- # session key for the middleware token, so CSRF protection isn't lost
- # for the period between upgrading to CSRF cookes to the first time
- # each user comes back to the site to receive one.
+ # If the user didn't already have a CSRF cookie, then fall back to
+ # the Django 1.1 method (hash of session ID), so a request is not
+ # rejected if the form was sent to the user before upgrading to the
+ # Django 1.2 method (session independent nonce)
if cookie_is_new:
session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
@@ -226,7 +229,7 @@ def add_csrf_field(match):
patch_vary_headers(response, ('Cookie',))
# Since the content has been modified, any Etag will now be
- # incorrect. We could recalculate, but only if we assume that
+ # incorrect. We could recalculate, but only if we assume that
# the Etag was set by CommonMiddleware. The safest thing is just
# to delete. See bug #9163
del response['ETag']

0 comments on commit 905dba3

Please sign in to comment.
Something went wrong with that request. Please try again.