Closed pmclanahan closed 10 years ago
Though now that I look at the code it might be difficult as the get_token
method requires you pass it the request
.
Talking on IRC, @pmclanahan and I came to the conclusion that the reason why the CsrfToken
view doesn't trigger the setting of the cookie/header is because the csrf_token
value is lazily-evaluated and passted to HttpResponse
, which may not actually resolve the value (and trigger the cookie/header to be added) until after the middleware has already executed.
We have not tested this. But unicode
ing the token would solve that issue if that were the case.
Tested on a local instance of Scrumbugz (with @pmclanahan's recent fix removed), was able to replicate the bug, and adding a unicode
fixed the issue as we suspected. Moving forward with that as the fix.
Sent from my mobile. Please excuse my brevity.
Django 1.5 brought with it a change in when Django would send the
csrftoken
cookie along with a response. It will now only send it if the view or template specifically ask for the token to be used either by including a form in the template, or using a decorator. The docs say that any call todjango.middleware.csrf.get_token()
will cause the cookie and aVary: Cookie
header to be sent with the response. I'd suggest calling said function whenever thebrowserid_info
orbrowserid_login
template tags are used.Note: This issue is avoided entirely by using
django-session-csrf
I believe.