summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/middleware.txt9
-rw-r--r--docs/ref/settings.txt6
2 files changed, 13 insertions, 2 deletions
diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt
index caa1c731f8..627de6edc9 100644
--- a/docs/ref/middleware.txt
+++ b/docs/ref/middleware.txt
@@ -426,6 +426,10 @@ Here are some hints about the ordering of various Django middleware classes:
#. :class:`~django.contrib.sessions.middleware.SessionMiddleware`
+ Before any middleware that may raise an an exception to trigger an error
+ view (such as :exc:`~django.core.exceptions.PermissionDenied`) if you're
+ using :setting:`CSRF_USE_SESSIONS`.
+
After ``UpdateCacheMiddleware``: Modifies ``Vary`` header.
#. :class:`~django.middleware.http.ConditionalGetMiddleware`
@@ -450,13 +454,14 @@ Here are some hints about the ordering of various Django middleware classes:
Close to the top: it redirects when :setting:`APPEND_SLASH` or
:setting:`PREPEND_WWW` are set to ``True``.
+ After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.
+
#. :class:`~django.middleware.csrf.CsrfViewMiddleware`
Before any view middleware that assumes that CSRF attacks have been dealt
with.
- It must come after ``SessionMiddleware`` if you're using
- :setting:`CSRF_USE_SESSIONS`.
+ After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.
#. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index ef83842aa0..a4be583003 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -403,6 +403,12 @@ Storing the CSRF token in a cookie (Django's default) is safe, but storing it
in the session is common practice in other web frameworks and therefore
sometimes demanded by security auditors.
+Since the :ref:`default error views <error-views>` require the CSRF token,
+:class:`~django.contrib.sessions.middleware.SessionMiddleware` must appear in
+:setting:`MIDDLEWARE` before any middleware that may raise an exception to
+trigger an error view (such as :exc:`~django.core.exceptions.PermissionDenied`)
+if you're using ``CSRF_USE_SESSIONS``. See :ref:`middleware-ordering`.
+
.. setting:: CSRF_FAILURE_VIEW
``CSRF_FAILURE_VIEW``