mirror of https://github.com/django/django.git
[3.0.x] Refs #28699 -- Clarified CSRF middleware ordering in relation to RemoteUserMiddleware.
Backport of 9446950470
from master
This commit is contained in:
parent
516200c09e
commit
b0b98fcacf
|
@ -557,6 +557,10 @@ Here are some hints about the ordering of various Django middleware classes:
|
|||
Before any view middleware that assumes that CSRF attacks have been dealt
|
||||
with.
|
||||
|
||||
Before :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`, or any
|
||||
other authentication middleware that may perform a login, and hence rotate
|
||||
the CSRF token, before calling down the middleware chain.
|
||||
|
||||
After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.
|
||||
|
||||
#. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`
|
||||
|
|
Loading…
Reference in New Issue