Loading django/views/csrf.py +3 −0 Original line number Diff line number Diff line Loading @@ -78,6 +78,9 @@ CSRF_FAILURE_TEMPLATE = """ <code>csrf_protect</code> on any views that use the <code>csrf_token</code> template tag, as well as those that accept the POST data.</li> <li>The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.</li> </ul> <p>You're seeing the help section of this page because you have <code>DEBUG = Loading docs/ref/csrf.txt +11 −0 Original line number Diff line number Diff line Loading @@ -227,6 +227,9 @@ The CSRF protection is based on the following things: every response that has called ``django.middleware.csrf.get_token()`` (the function used internally to retrieve the CSRF token). For security reasons, the value of the CSRF cookie is changed each time a user logs in. 2. A hidden form field with the name 'csrfmiddlewaretoken' present in all outgoing POST forms. The value of this field is the value of the CSRF cookie. Loading Loading @@ -505,3 +508,11 @@ because it invalidates all previous forms. Most users would be very unhappy to find that opening a new tab on your site has invalidated the form they had just spent time filling out in another tab or that a form they accessed via the back button could not be filled out. Why might a user encounter a CSRF validation failure after logging in? ---------------------------------------------------------------------- For security reasons, CSRF tokens are rotated each time a user logs in. Any page with a form generated before a login will have an old, invalid CSRF token and need to be reloaded. This might happen if a user uses the back button after a login or if they log in in a different browser tab. Loading
django/views/csrf.py +3 −0 Original line number Diff line number Diff line Loading @@ -78,6 +78,9 @@ CSRF_FAILURE_TEMPLATE = """ <code>csrf_protect</code> on any views that use the <code>csrf_token</code> template tag, as well as those that accept the POST data.</li> <li>The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.</li> </ul> <p>You're seeing the help section of this page because you have <code>DEBUG = Loading
docs/ref/csrf.txt +11 −0 Original line number Diff line number Diff line Loading @@ -227,6 +227,9 @@ The CSRF protection is based on the following things: every response that has called ``django.middleware.csrf.get_token()`` (the function used internally to retrieve the CSRF token). For security reasons, the value of the CSRF cookie is changed each time a user logs in. 2. A hidden form field with the name 'csrfmiddlewaretoken' present in all outgoing POST forms. The value of this field is the value of the CSRF cookie. Loading Loading @@ -505,3 +508,11 @@ because it invalidates all previous forms. Most users would be very unhappy to find that opening a new tab on your site has invalidated the form they had just spent time filling out in another tab or that a form they accessed via the back button could not be filled out. Why might a user encounter a CSRF validation failure after logging in? ---------------------------------------------------------------------- For security reasons, CSRF tokens are rotated each time a user logs in. Any page with a form generated before a login will have an old, invalid CSRF token and need to be reloaded. This might happen if a user uses the back button after a login or if they log in in a different browser tab.
