mirror of
https://github.com/django/django.git
synced 2024-11-30 07:06:18 +01:00
Misc clarifications in csrf middleware comments
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11673 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
43c2ed0eb3
commit
905dba3694
@ -83,8 +83,11 @@ class CsrfViewMiddleware(object):
|
||||
request.META["CSRF_COOKIE"] = request.COOKIES[settings.CSRF_COOKIE_NAME]
|
||||
cookie_is_new = False
|
||||
except KeyError:
|
||||
# No cookie, so create one.
|
||||
# No cookie, so create one. This will be sent with the next
|
||||
# response.
|
||||
request.META["CSRF_COOKIE"] = _get_new_csrf_key()
|
||||
# Set a flag to allow us to fall back and allow the session id in
|
||||
# place of a CSRF cookie for this request only.
|
||||
cookie_is_new = True
|
||||
|
||||
if request.method == 'POST':
|
||||
@ -133,10 +136,10 @@ class CsrfViewMiddleware(object):
|
||||
return reject("Referer checking failed - %s does not match %s." %
|
||||
(referer, good_referer))
|
||||
|
||||
# If the user didn't already have a CSRF key, then accept the
|
||||
# session key for the middleware token, so CSRF protection isn't lost
|
||||
# for the period between upgrading to CSRF cookes to the first time
|
||||
# each user comes back to the site to receive one.
|
||||
# If the user didn't already have a CSRF cookie, then fall back to
|
||||
# the Django 1.1 method (hash of session ID), so a request is not
|
||||
# rejected if the form was sent to the user before upgrading to the
|
||||
# Django 1.2 method (session independent nonce)
|
||||
if cookie_is_new:
|
||||
try:
|
||||
session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
|
||||
|
Loading…
Reference in New Issue
Block a user