From 9c33d74f1dbc71dc295f11c1be2f1146a487e611 Mon Sep 17 00:00:00 2001
From: Luke Plant <L.Plant.98@cantab.net>
Date: Wed, 3 Dec 2008 13:23:23 +0000
Subject: [PATCH] Added some explanatory comments in CsrfMiddleware

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9561 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 django/contrib/csrf/middleware.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/django/contrib/csrf/middleware.py b/django/contrib/csrf/middleware.py
index 6f818fc93c..3a06feb398 100644
--- a/django/contrib/csrf/middleware.py
+++ b/django/contrib/csrf/middleware.py
@@ -67,11 +67,16 @@ class CsrfResponseMiddleware(object):
     def process_response(self, request, response):
         csrf_token = None
         try:
+            # This covers a corner case in which the outgoing request
+            # both contains a form and sets a session cookie.  This
+            # really should not be needed, since it is best if views
+            # that create a new session (login pages) also do a
+            # redirect, as is done by all such view functions in
+            # Django.
             cookie = response.cookies[settings.SESSION_COOKIE_NAME]
             csrf_token = _make_token(cookie.value)
         except KeyError:
-            # No outgoing cookie to set session, but
-            # a session might already exist.
+            # Normal case - look for existing session cookie
             try:
                 session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
                 csrf_token = _make_token(session_id)