p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[2.2.x] Fixed #30091 -- Doc'd middleware ordering requirements with CSRF_USE_SESSIONS. 

Backport of bae66e759f from master.
This commit is contained in:
Carlton Gibson 2019-01-22 09:56:48 +01:00 committed by Tim Graham
parent 6e8b11ab2b
commit 89d39dc1d7
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/ref/middleware.txt
View File

@ -426,6 +426,10 @@ Here are some hints about the ordering of various Django middleware classes:
#. :class:`~django.contrib.sessions.middleware.SessionMiddleware` #. :class:`~django.contrib.sessions.middleware.SessionMiddleware`
Before any middleware that may raise an an exception to trigger an error
view (such as :exc:`~django.core.exceptions.PermissionDenied`) if you're
using :setting:`CSRF_USE_SESSIONS`.
After ``UpdateCacheMiddleware``: Modifies ``Vary`` header. After ``UpdateCacheMiddleware``: Modifies ``Vary`` header.
#. :class:`~django.middleware.http.ConditionalGetMiddleware` #. :class:`~django.middleware.http.ConditionalGetMiddleware`
@ -450,13 +454,14 @@ Here are some hints about the ordering of various Django middleware classes:
Close to the top: it redirects when :setting:`APPEND_SLASH` or Close to the top: it redirects when :setting:`APPEND_SLASH` or
:setting:`PREPEND_WWW` are set to ``True``. :setting:`PREPEND_WWW` are set to ``True``.
After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.
#. :class:`~django.middleware.csrf.CsrfViewMiddleware` #. :class:`~django.middleware.csrf.CsrfViewMiddleware`
Before any view middleware that assumes that CSRF attacks have been dealt Before any view middleware that assumes that CSRF attacks have been dealt
with. with.
It must come after ``SessionMiddleware`` if you're using After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.
:setting:`CSRF_USE_SESSIONS`.
#. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware` #. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`

6
docs/ref/settings.txt
View File

@ -405,6 +405,12 @@ Storing the CSRF token in a cookie (Django's default) is safe, but storing it
in the session is common practice in other web frameworks and therefore in the session is common practice in other web frameworks and therefore
sometimes demanded by security auditors. sometimes demanded by security auditors.
Since the :ref:`default error views <error-views>` require the CSRF token,
:class:`~django.contrib.sessions.middleware.SessionMiddleware` must appear in
:setting:`MIDDLEWARE` before any middleware that may raise an exception to
trigger an error view (such as :exc:`~django.core.exceptions.PermissionDenied`)
if you're using ``CSRF_USE_SESSIONS``. See :ref:`middleware-ordering`.
.. setting:: CSRF_FAILURE_VIEW .. setting:: CSRF_FAILURE_VIEW
``CSRF_FAILURE_VIEW`` ``CSRF_FAILURE_VIEW``