From b0b98fcacf929ed190b2fa5fb56f595d4fc518ff Mon Sep 17 00:00:00 2001 From: Carlton Gibson Date: Wed, 2 Oct 2019 13:11:03 +0200 Subject: [PATCH] [3.0.x] Refs #28699 -- Clarified CSRF middleware ordering in relation to RemoteUserMiddleware. Backport of 94469504706b494877b6bb45a979bcb81c7fd7be from master --- docs/ref/middleware.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt index 04b598625ec..d9f544737de 100644 --- a/docs/ref/middleware.txt +++ b/docs/ref/middleware.txt @@ -557,6 +557,10 @@ Here are some hints about the ordering of various Django middleware classes: Before any view middleware that assumes that CSRF attacks have been dealt with. + Before :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`, or any + other authentication middleware that may perform a login, and hence rotate + the CSRF token, before calling down the middleware chain. + After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`. #. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`