Commit a5b44ed8 authored by Carl Meyer's avatar Carl Meyer
Browse files

[1.3.X] Refs #15855 -- Recommended the csrf_protect decorator rather than... 

[1.3.X] Refs #15855 -- Recommended the csrf_protect decorator rather than vary_on_cookie as workaround for cache_page caching the response before it gets to middleware.

Backport of r16361 from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16362 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent c1baaa8c

docs/ref/contrib/csrf.txt

+6 −5
Original line number Diff line number Diff line
@@ -408,15 +408,16 @@ middleware if it is used as instructed (``UpdateCacheMiddleware`` goes before 
all other middleware).



However, if you use cache decorators on individual views, the CSRF middleware

will not yet have been able to set the Vary header.  In this case, on any views

that will require a CSRF token to be inserted you should use the

:func:`django.views.decorators.vary.vary_on_cookie` decorator first::

will not yet have been able to set the Vary header or the CSRF cookie, and the

response will be cached without either one. In this case, on any views that

will require a CSRF token to be inserted you should use the

:func:`django.views.decorators.csrf.csrf_protect` decorator first::



  from django.views.decorators.cache import cache_page

  from django.views.decorators.vary import vary_on_cookie

  from django.views.decorators.csrf import csrf_protect



  @cache_page(60 * 15)

  @vary_on_cookie

  @csrf_protect

  def my_view(request):

      # ...