[3.0.x] Refs #28699 -- Clarified CSRF middleware ordering in relation to RemoteUserMiddleware.

Backport of 9446950470 from master
This commit is contained in:
Carlton Gibson 2019-10-02 13:11:03 +02:00 committed by Mariusz Felisiak
parent 516200c09e
commit b0b98fcacf
1 changed files with 4 additions and 0 deletions

View File

@ -557,6 +557,10 @@ Here are some hints about the ordering of various Django middleware classes:
Before any view middleware that assumes that CSRF attacks have been dealt
with.
Before :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`, or any
other authentication middleware that may perform a login, and hence rotate
the CSRF token, before calling down the middleware chain.
After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.
#. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`