#32902: CsrfViewMiddleware.process_response()'s csrf_cookie_needs_reset and csrf_cookie_set logic isn't right ------------------------------------------+-------------------------------- Reporter: Chris Jerdonek | Owner: Chris Jerdonek Type: Bug | Status: assigned Component: CSRF | Version: dev Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | ------------------------------------------+-------------------------------- I noticed that the `csrf_cookie_needs_reset` and `csrf_cookie_set` logic inside `CsrfViewMiddleware.process_response()` isn't right: https://github.com/django/django/blob/fa35c8bdbc6aca65d94d6280fa463d5bc7baa5c0/django/middleware/csrf.py#L439-L451
Consequently-- 1. `self._set_token(request, response)` can get called twice in some circumstances, even if `response.csrf_cookie_set` is true at the beginning, and 2. the cookie can fail to be reset in some circumstances, even if `csrf_cookie_needs_reset` is true at the beginning. (I previously let `secur...@djangoproject.com` know about this issue, and they said it was okay to resolve this publicly.) -- Ticket URL: <https://code.djangoproject.com/ticket/32902> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/052.f116460b8bbb69f19427f1d37c7c4a7e%40djangoproject.com.