[2.2.x] Refs #28699 -- Clarified CSRF middleware ordering in relation to RemoteUserMiddleware.

Backport of 94469504706b494877b6bb45a979bcb81c7fd7be from master
2019-10-02 13:11:03 +02:00 · 2019-10-02 13:11:03 +02:00 · 09013aae13
commit 09013aae13
parent da31472abf
1 changed files with 4 additions and 0 deletions
--- a/docs/ref/middleware.txt
+++ b/docs/ref/middleware.txt
@ -458,6 +458,10 @@ Here are some hints about the ordering of various Django middleware classes:
   Before any view middleware that assumes that CSRF attacks have been dealt
   with.

+   Before :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`, or any
+   other authentication middleware that may perform a login, and hence rotate
+   the CSRF token, before calling down the middleware chain.
+
   After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.

 #. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`