Misc clarifications in csrf middleware comments

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11673 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 21:31:20 +00:00 · 2009-10-27 21:31:20 +00:00 · 905dba3694
parent 43c2ed0eb3
commit 905dba3694
1 changed files with 9 additions and 6 deletions
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@ -83,8 +83,11 @@ class CsrfViewMiddleware(object):
            request.META["CSRF_COOKIE"] = request.COOKIES[settings.CSRF_COOKIE_NAME]
            cookie_is_new = False
        except KeyError:
-            # No cookie, so create one.
+            # No cookie, so create one.  This will be sent with the next
+            # response.
            request.META["CSRF_COOKIE"] = _get_new_csrf_key()
+            # Set a flag to allow us to fall back and allow the session id in
+            # place of a CSRF cookie for this request only.
            cookie_is_new = True

        if request.method == 'POST':
@ -133,10 +136,10 @@ class CsrfViewMiddleware(object):
                    return reject("Referer checking failed - %s does not match %s." %
                                  (referer, good_referer))

-            # If the user didn't already have a CSRF key, then accept the
-            # session key for the middleware token, so CSRF protection isn't lost
-            # for the period between upgrading to CSRF cookes to the first time
-            # each user comes back to the site to receive one.
+            # If the user didn't already have a CSRF cookie, then fall back to
+            # the Django 1.1 method (hash of session ID), so a request is not
+            # rejected if the form was sent to the user before upgrading to the
+            # Django 1.2 method (session independent nonce)
            if cookie_is_new:
                try:
                    session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
@ -226,7 +229,7 @@ class CsrfResponseMiddleware(object):
                patch_vary_headers(response, ('Cookie',))

                # Since the content has been modified, any Etag will now be
-                # incorrect.  We could recalculate, but only if we assume that              
+                # incorrect.  We could recalculate, but only if we assume that
                # the Etag was set by CommonMiddleware. The safest thing is just
                # to delete. See bug #9163
                del response['ETag']