Commit 905dba36 authored by Luke Plant's avatar Luke Plant
Browse files

Misc clarifications in csrf middleware comments 



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11673 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 43c2ed0e

django/middleware/csrf.py

+9 −6
Original line number Diff line number Diff line
@@ -83,8 +83,11 @@ class CsrfViewMiddleware(object): 
            request.META["CSRF_COOKIE"] = request.COOKIES[settings.CSRF_COOKIE_NAME]

            cookie_is_new = False

        except KeyError:

            # No cookie, so create one.

            # No cookie, so create one.  This will be sent with the next

            # response.

            request.META["CSRF_COOKIE"] = _get_new_csrf_key()

            # Set a flag to allow us to fall back and allow the session id in

            # place of a CSRF cookie for this request only.

            cookie_is_new = True



        if request.method == 'POST':
@@ -133,10 +136,10 @@ class CsrfViewMiddleware(object): 
                    return reject("Referer checking failed - %s does not match %s." %

                                  (referer, good_referer))



            # If the user didn't already have a CSRF key, then accept the

            # session key for the middleware token, so CSRF protection isn't lost

            # for the period between upgrading to CSRF cookes to the first time

            # each user comes back to the site to receive one.

            # If the user didn't already have a CSRF cookie, then fall back to

            # the Django 1.1 method (hash of session ID), so a request is not

            # rejected if the form was sent to the user before upgrading to the

            # Django 1.2 method (session independent nonce)

            if cookie_is_new:

                try:

                    session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]