-
-
Notifications
You must be signed in to change notification settings - Fork 31.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed #24696 -- Made CSRF_COOKIE computation lazy if not set. #4550
Conversation
There's a failing test with this change:
|
The auth_tests.test_views.LoginTest. test_login_csrf_rotate test fails because it is manually manipulating the request.META["CSRF_COOKIE_USED"] variable. If we need to support the case where apps or other middleware change that variable directly I can add support for that, but if not I can fix the test to not rely on that implementation detail of the csrf middleware. |
I'd suggest posting on the django-developers list to get some more eyes on this change and advice on that. |
I think this change is correct, but I wouldn't mind confirmation from @PaulMcMillan or @spookylukey or someone else familiar with our CSRF implementation. The comment starting on (new) line 196 of |
carljm - RE: comment on line 196 of middleware/csrf.py Since it should not be possible for CSRF_COOKIE_USED to be true and for CSRF_COOKIE to be none at the same time, should we just eliminate the whole comment and check for the CSRF_COOKIE and let the check for CSRF_COOKIE_USED do all the work? I don't think there are any cases where it is legal to call get_token before CsrfViewMiddleware.process_view has run? If get_token was called first we be generating a new token even if the request supplied one in the cookies. |
Yeah, I think we should just eliminate that check. With your change, any scenario where |
|
||
A side effect of calling this function is to make the csrf_protect | ||
decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie' | ||
header to the outgoing response. For this reason, you may need to use this | ||
function lazily, as is done by the csrf context processor. | ||
""" | ||
if "CSRF_COOKIE" not in request.META: | ||
request.META["CSRF_COOKIE"] = _get_new_csrf_key() | ||
request.META["CSRF_COOKIE_USED"] = True | ||
return request.META.get("CSRF_COOKIE", None) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems like there's no longer a need for the defensive use of .get()
here; CSRF_COOKIE
must always be set at this point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agreed
Could you please squash your commits? |
Only compute the CSRF_COOKIE when it is actually used. This is a significant speedup for clients not using cookies. Changes results of the “test_token_node_no_csrf_cookie” test: It gets a valid csrf token now which seems like the correct behavior. Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to use “get_token” to trigger csrf cookie inclusion instead of changing request.META["CSRF_COOKIE_USED"] directly.
merged in eef95ea, thanks! |
Only compute the CSRF_COOKIE when it is actually used. This is a
significant speedup for clients not using cookies.
Changes results of the “test_token_node_no_csrf_cookie” test: It gets
a valid csrf token now which seems like the correct behavior.
This speeds up trivial views by about 40%