summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2013-10-17 19:51:45 -0400
committerTim Graham <timograham@gmail.com>2013-10-18 08:33:00 -0400
commitdc8176eb3ae98b80eb49a88027d66fdef8094090 (patch)
tree9be08332227a0e57ac212effdad7dd0a0b62fabe
parent621fc1f1d74df2d9240dea88b5f7ebdf472bca38 (diff)
[1.6.x] Fixed bug causing CSRF token not to rotate on login.
Thanks Gavin McQuillan for the report. Backport of ac4fec5ca2 from master
-rw-r--r--django/contrib/auth/tests/test_views.py1
-rw-r--r--django/middleware/csrf.py5
2 files changed, 4 insertions, 2 deletions
diff --git a/django/contrib/auth/tests/test_views.py b/django/contrib/auth/tests/test_views.py
index ba07a70903..3a5fb5956b 100644
--- a/django/contrib/auth/tests/test_views.py
+++ b/django/contrib/auth/tests/test_views.py
@@ -518,7 +518,6 @@ class LoginTest(AuthViewsTestCase):
CsrfViewMiddleware().process_view(req, login_view, (), {})
req.META["SERVER_NAME"] = "testserver" # Required to have redirect work in login view
req.META["SERVER_PORT"] = 80
- req.META["CSRF_COOKIE_USED"] = True
resp = login_view(req)
resp2 = CsrfViewMiddleware().process_response(req, resp)
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, None)
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index c13715eeb9..1089153538 100644
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -56,7 +56,10 @@ def rotate_token(request):
Changes the CSRF token in use for a request - should be done on login
for security purposes.
"""
- request.META["CSRF_COOKIE"] = _get_new_csrf_key()
+ request.META.update({
+ "CSRF_COOKIE_USED": True,
+ "CSRF_COOKIE": _get_new_csrf_key(),
+ })
def _sanitize_token(token):