diff options
| author | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-10-02 13:11:03 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2019-10-02 13:12:00 +0200 |
| commit | 09013aae13b008359c054d5e4252844ebdb5aa57 (patch) | |
| tree | 28f24d3b97ce1b5dd0ab6edca6b5eec53d9a7eea /docs | |
| parent | da31472abfdc6364fcd00d6c902db8bdc04965c8 (diff) | |
[2.2.x] Refs #28699 -- Clarified CSRF middleware ordering in relation to RemoteUserMiddleware.
Backport of 94469504706b494877b6bb45a979bcb81c7fd7be from master
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/middleware.txt | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt index db70a7c14d..99ff001954 100644 --- a/docs/ref/middleware.txt +++ b/docs/ref/middleware.txt @@ -458,6 +458,10 @@ Here are some hints about the ordering of various Django middleware classes: Before any view middleware that assumes that CSRF attacks have been dealt with. + Before :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`, or any + other authentication middleware that may perform a login, and hence rotate + the CSRF token, before calling down the middleware chain. + After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`. #. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware` |