Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed bug causing CSRF token not to rotate on login.

Thanks Gavin McQuillan for the report.
  • Loading branch information...
commit ac4fec5ca2d429a565919033ea4d801db51a8e9e 1 parent a800036
Tim Graham timgraham authored
1  django/contrib/auth/tests/test_views.py
View
@@ -531,7 +531,6 @@ def test_login_csrf_rotate(self, password='password'):
CsrfViewMiddleware().process_view(req, login_view, (), {})
req.META["SERVER_NAME"] = "testserver" # Required to have redirect work in login view
req.META["SERVER_PORT"] = 80
- req.META["CSRF_COOKIE_USED"] = True
resp = login_view(req)
resp2 = CsrfViewMiddleware().process_response(req, resp)
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, None)
5 django/middleware/csrf.py
View
@@ -56,7 +56,10 @@ def rotate_token(request):
Changes the CSRF token in use for a request - should be done on login
for security purposes.
"""
- request.META["CSRF_COOKIE"] = _get_new_csrf_key()
+ request.META.update({
+ "CSRF_COOKIE_USED": True,
+ "CSRF_COOKIE": _get_new_csrf_key(),
+ })
def _sanitize_token(token):
Please sign in to comment.
Something went wrong with that request. Please try again.