diff options
Diffstat (limited to 'django')
| -rw-r--r-- | django/middleware/csrf.py | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py index 4ac2f23019..368b51f316 100644 --- a/django/middleware/csrf.py +++ b/django/middleware/csrf.py @@ -280,7 +280,10 @@ class CsrfViewMiddleware(MiddlewareMixin): reason = REASON_BAD_REFERER % referer.geturl() return self._reject(request, reason) - csrf_token = request.META.get('CSRF_COOKIE') + # Access csrf_token via self._get_token() as rotate_token() may + # have been called by an authentication middleware during the + # process_request() phase. + csrf_token = self._get_token(request) if csrf_token is None: # No CSRF cookie. For POST requests, we insist on a CSRF cookie, # and in this way we can avoid all CSRF attacks, including login |
