diff options
| author | Tim Graham <timograham@gmail.com> | 2013-10-17 19:51:45 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2013-10-18 08:31:19 -0400 |
| commit | ac4fec5ca2d429a565919033ea4d801db51a8e9e (patch) | |
| tree | 7d05f8eeeadceb59e75628150dd99624e84da2de | |
| parent | a800036981c6fea8eb3dac22467965c71af05d29 (diff) | |
Fixed bug causing CSRF token not to rotate on login.
Thanks Gavin McQuillan for the report.
| -rw-r--r-- | django/contrib/auth/tests/test_views.py | 1 | ||||
| -rw-r--r-- | django/middleware/csrf.py | 5 |
2 files changed, 4 insertions, 2 deletions
diff --git a/django/contrib/auth/tests/test_views.py b/django/contrib/auth/tests/test_views.py index 0190d1d3d4..f34102289d 100644 --- a/django/contrib/auth/tests/test_views.py +++ b/django/contrib/auth/tests/test_views.py @@ -531,7 +531,6 @@ class LoginTest(AuthViewsTestCase): CsrfViewMiddleware().process_view(req, login_view, (), {}) req.META["SERVER_NAME"] = "testserver" # Required to have redirect work in login view req.META["SERVER_PORT"] = 80 - req.META["CSRF_COOKIE_USED"] = True resp = login_view(req) resp2 = CsrfViewMiddleware().process_response(req, resp) csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, None) diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py index c13715eeb9..1089153538 100644 --- a/django/middleware/csrf.py +++ b/django/middleware/csrf.py @@ -56,7 +56,10 @@ def rotate_token(request): Changes the CSRF token in use for a request - should be done on login for security purposes. """ - request.META["CSRF_COOKIE"] = _get_new_csrf_key() + request.META.update({ + "CSRF_COOKIE_USED": True, + "CSRF_COOKIE": _get_new_csrf_key(), + }) def _sanitize_token(token): |
