Fixed #24696 -- Made CSRF_COOKIE computation lazy if not set.

[electricjay]

Only compute the CSRF_COOKIE when it is actually used. This is a
significant speedup for clients not using cookies.

Changes results of the “test_token_node_no_csrf_cookie” test: It gets
a valid csrf token now which seems like the correct behavior.

This speeds up trivial views by about 40%

[timgraham]

There's a failing test with this change:

======================================================================
ERROR: test_login_csrf_rotate (auth_tests.test_views.LoginTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/tim/code/django/tests/auth_tests/test_views.py", line 613, in test_login_csrf_rotate
    token1 = csrf_cookie.coded_value
AttributeError: 'NoneType' object has no attribute 'coded_value'

[electricjay]

The auth_tests.test_views.LoginTest. test_login_csrf_rotate test fails because it is manually manipulating the request.META["CSRF_COOKIE_USED"] variable.

If we need to support the case where apps or other middleware change that variable directly I can add support for that, but if not I can fix the test to not rely on that implementation detail of the csrf middleware.

[timgraham]

I'd suggest posting on the django-developers list to get some more eyes on this change and advice on that.

[carljm]

I think this change is correct, but I wouldn't mind confirmation from @PaulMcMillan or @spookylukey or someone else familiar with our CSRF implementation.

The comment starting on (new) line 196 of middleware/csrf.py also needs to be updated for consistency with this change. I think the behavior is still ok (request.META['CSRF_COOKIE'] shouldn't ever be None unless request.META['CSRF_COOKIE_USED'] is also False or not present, in which case we'll bail out at the following check anyway), but the comment is plainly wrong now.

[electricjay]

carljm - RE: comment on line 196 of middleware/csrf.py

Since it should not be possible for CSRF_COOKIE_USED to be true and for CSRF_COOKIE to be none at the same time, should we just eliminate the whole comment and check for the CSRF_COOKIE and let the check for CSRF_COOKIE_USED do all the work?

I don't think there are any cases where it is legal to call get_token before CsrfViewMiddleware.process_view has run? If get_token was called first we be generating a new token even if the request supplied one in the cookies.

[carljm]

Yeah, I think we should just eliminate that check. With your change, any scenario where CSRF_COOKIE_USED but there's no CSRF_COOKIE is a bug in user code that would have to be caused by messing about with internals (because there are only two places that set CSRF_COOKIE_USED, and with your change both of those places also guarantee that CSRF_COOKIE is set). In the case of such a bug in user code, better to fail fast with an error than just silently send no cookie, I think.

[carljm]

It seems like there's no longer a need for the defensive use of .get() here; CSRF_COOKIE must always be set at this point.

[electricjay]

agreed

[timgraham]

Could you please squash your commits?

[timgraham]

merged in eef95ea, thanks!