Re: [Django] #10816: CsrfMiddleware false positive after session.flush()

Fri, 17 Apr 2009 10:43:12 -0700 

#10816: CsrfMiddleware false positive after session.flush()
-----------------------------------+----------------------------------------
          Reporter:  Glenn         |         Owner:  lukeplant    
            Status:  new           |     Milestone:               
         Component:  Contrib apps  |       Version:  SVN          
        Resolution:                |      Keywords:  csrf sessions
             Stage:  Unreviewed    |     Has_patch:  1            
        Needs_docs:  0             |   Needs_tests:  0            
Needs_better_patch:  0             |  
-----------------------------------+----------------------------------------
Changes (by lukeplant):

  * owner:  nobody => lukeplant

Comment:

 Thanks for that Glenn, looks very good at a first glance.

 Ticket #9977 is really doing just one thing - replacing the post-
 processing with a template tag.  There are edge cases and backwards
 compatibility issues and so-on that it deals with, and some small
 refactoring in the tests to support it, but I don't think it is doing too
 much at once.  Oh yeah, It also adds a mechanism for a custom view to be
 called if the mechanism is triggered.

 My vote is to merge this patch with #9977 after Django 1.1 is out.  Post-
 processing the response is really nasty, and hardly any of the core devs
 are happy with the middleware being enabled by default if it is still
 doing post-processing. Although this complicates the docs a little bit, I
 think it is much better than changing the middleware twice.

 I'm happy to do that merge (which is a bit tricky, and will also involve
 moving the cookie setting code to a `process_response()` method in
 `CsrfViewMiddleware` ).

-- 
Ticket URL: <http://code.djangoproject.com/ticket/10816#comment:8>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to