Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Misc clarifications in csrf middleware comments

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11673 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 905dba3694efa20de061d5350cd7de08ed0e5f46 1 parent 43c2ed0
Luke Plant authored October 27, 2009

Showing 1 changed file with 9 additions and 6 deletions. Show diff stats Hide diff stats

  1. 15  django/middleware/csrf.py
15  django/middleware/csrf.py
@@ -83,8 +83,11 @@ def accept():
83 83
             request.META["CSRF_COOKIE"] = request.COOKIES[settings.CSRF_COOKIE_NAME]
84 84
             cookie_is_new = False
85 85
         except KeyError:
86  
-            # No cookie, so create one.
  86
+            # No cookie, so create one.  This will be sent with the next
  87
+            # response.
87 88
             request.META["CSRF_COOKIE"] = _get_new_csrf_key()
  89
+            # Set a flag to allow us to fall back and allow the session id in
  90
+            # place of a CSRF cookie for this request only.
88 91
             cookie_is_new = True
89 92
 
90 93
         if request.method == 'POST':
@@ -133,10 +136,10 @@ def accept():
133 136
                     return reject("Referer checking failed - %s does not match %s." %
134 137
                                   (referer, good_referer))
135 138
 
136  
-            # If the user didn't already have a CSRF key, then accept the
137  
-            # session key for the middleware token, so CSRF protection isn't lost
138  
-            # for the period between upgrading to CSRF cookes to the first time
139  
-            # each user comes back to the site to receive one.
  139
+            # If the user didn't already have a CSRF cookie, then fall back to
  140
+            # the Django 1.1 method (hash of session ID), so a request is not
  141
+            # rejected if the form was sent to the user before upgrading to the
  142
+            # Django 1.2 method (session independent nonce)
140 143
             if cookie_is_new:
141 144
                 try:
142 145
                     session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
@@ -226,7 +229,7 @@ def add_csrf_field(match):
226 229
                 patch_vary_headers(response, ('Cookie',))
227 230
 
228 231
                 # Since the content has been modified, any Etag will now be
229  
-                # incorrect.  We could recalculate, but only if we assume that              
  232
+                # incorrect.  We could recalculate, but only if we assume that
230 233
                 # the Etag was set by CommonMiddleware. The safest thing is just
231 234
                 # to delete. See bug #9163
232 235
                 del response['ETag']

0 notes on commit 905dba3

Please sign in to comment.
Something went wrong with that request. Please try again.