diff options
| author | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-01-22 09:56:48 +0100 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2019-01-30 11:02:26 -0500 |
| commit | bae66e759faee8513da4b11d3fd16b044b415bdb (patch) | |
| tree | fbc0d9d72fb43232171cb3dd226092393362cd88 /docs/ref/settings.txt | |
| parent | 7e6b214ed34f5562dbd83cf54924a5b589a29715 (diff) | |
Fixed #30091 -- Doc'd middleware ordering requirements with CSRF_USE_SESSIONS.
Diffstat (limited to 'docs/ref/settings.txt')
| -rw-r--r-- | docs/ref/settings.txt | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index ef83842aa0..a4be583003 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -403,6 +403,12 @@ Storing the CSRF token in a cookie (Django's default) is safe, but storing it in the session is common practice in other web frameworks and therefore sometimes demanded by security auditors. +Since the :ref:`default error views <error-views>` require the CSRF token, +:class:`~django.contrib.sessions.middleware.SessionMiddleware` must appear in +:setting:`MIDDLEWARE` before any middleware that may raise an exception to +trigger an error view (such as :exc:`~django.core.exceptions.PermissionDenied`) +if you're using ``CSRF_USE_SESSIONS``. See :ref:`middleware-ordering`. + .. setting:: CSRF_FAILURE_VIEW ``CSRF_FAILURE_VIEW`` |
