pmclanahan
commented
10 years ago Though now that I look at the code it might be difficult as the get_token method requires you pass it the request.
Closed pmclanahan closed 10 years ago
pmclanahan
commented
10 years ago Though now that I look at the code it might be difficult as the get_token method requires you pass it the request.
Osmose
commented
10 years ago Talking on IRC, @pmclanahan and I came to the conclusion that the reason why the CsrfToken view doesn't trigger the setting of the cookie/header is because the csrf_token value is lazily-evaluated and passted to HttpResponse, which may not actually resolve the value (and trigger the cookie/header to be added) until after the middleware has already executed.
We have not tested this. But unicodeing the token would solve that issue if that were the case.
Osmose
commented
10 years ago Tested on a local instance of Scrumbugz (with @pmclanahan's recent fix removed), was able to replicate the bug, and adding a unicode fixed the issue as we suspected. Moving forward with that as the fix.
pmclanahan
commented
10 years ago Sent from my mobile. Please excuse my brevity.
Django 1.5 brought with it a change in when Django would send the
csrftokencookie along with a response. It will now only send it if the view or template specifically ask for the token to be used either by including a form in the template, or using a decorator. The docs say that any call todjango.middleware.csrf.get_token()will cause the cookie and aVary: Cookieheader to be sent with the response. I'd suggest calling said function whenever thebrowserid_infoorbrowserid_logintemplate tags are used.Note: This issue is avoided entirely by using
django-session-csrfI believe.