summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorCarlton Gibson <carlton.gibson@noumenal.es>2019-10-02 13:11:03 +0200
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2019-10-02 13:11:03 +0200
commit94469504706b494877b6bb45a979bcb81c7fd7be (patch)
treee59f7d38025542e69f9b9de3123ea6f0c9d84055 /docs
parent02ba48bc23618c558136d8a0a48349c0bb497dc9 (diff)
Refs #28699 -- Clarified CSRF middleware ordering in relation to RemoteUserMiddleware.
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/middleware.txt4
1 files changed, 4 insertions, 0 deletions
diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt
index 04b598625e..d9f544737d 100644
--- a/docs/ref/middleware.txt
+++ b/docs/ref/middleware.txt
@@ -557,6 +557,10 @@ Here are some hints about the ordering of various Django middleware classes:
Before any view middleware that assumes that CSRF attacks have been dealt
with.
+ Before :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`, or any
+ other authentication middleware that may perform a login, and hence rotate
+ the CSRF token, before calling down the middleware chain.
+
After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.
#. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`