diff options
| author | Carl Meyer <carl@oddbird.net> | 2011-06-10 16:18:40 +0000 |
|---|---|---|
| committer | Carl Meyer <carl@oddbird.net> | 2011-06-10 16:18:40 +0000 |
| commit | 0e03a504bf28c727283bcabbff0f4dc63feaf573 (patch) | |
| tree | bedf4742cf07a20e05d50dd5cb7da7866cc96229 | |
| parent | 528157ce73e4e7d9ee65c362d0cb4013eb17c5f0 (diff) | |
Refs #15855 -- Recommended the csrf_protect decorator rather than vary_on_cookie as workaround for cache_page caching the response before it gets to middleware.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16361 bcc190cf-cafb-0310-a4f2-bffc1f526a37
| -rw-r--r-- | docs/ref/contrib/csrf.txt | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index 695b441108..93a7bb7c65 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -238,15 +238,16 @@ middleware will play well with the cache middleware if it is used as instructed (``UpdateCacheMiddleware`` goes before all other middleware). However, if you use cache decorators on individual views, the CSRF middleware -will not yet have been able to set the Vary header. In this case, on any views -that will require a CSRF token to be inserted you should use the -:func:`django.views.decorators.vary.vary_on_cookie` decorator first:: +will not yet have been able to set the Vary header or the CSRF cookie, and the +response will be cached without either one. In this case, on any views that +will require a CSRF token to be inserted you should use the +:func:`django.views.decorators.csrf.csrf_protect` decorator first:: from django.views.decorators.cache import cache_page - from django.views.decorators.vary import vary_on_cookie + from django.views.decorators.csrf import csrf_protect @cache_page(60 * 15) - @vary_on_cookie + @csrf_protect def my_view(request): # ... |
