#32902: CsrfViewMiddleware.process_response()'s csrf_cookie_needs_reset and
csrf_cookie_set logic isn't right
------------------------------------------+--------------------------------
Reporter: Chris Jerdonek | Owner: Chris Jerdonek
Type: Bug | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------+--------------------------------
I noticed that the `csrf_cookie_needs_reset` and `csrf_cookie_set` logic
inside `CsrfViewMiddleware.process_response()` isn't right:
https://github.com/django/django/blob/fa35c8bdbc6aca65d94d6280fa463d5bc7baa5c0/django/middleware/csrf.py#L439-L451
Consequently--
1. `self._set_token(request, response)` can get called twice in some
circumstances, even if `response.csrf_cookie_set` is true at the
beginning, and
2. the cookie can fail to be reset in some circumstances, even if
`csrf_cookie_needs_reset` is true at the beginning.
(I previously let `secur...@djangoproject.com` know about this issue, and
they said it was okay to resolve this publicly.)
--
Ticket URL: <https://code.djangoproject.com/ticket/32902>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/052.f116460b8bbb69f19427f1d37c7c4a7e%40djangoproject.com.
