From 09013aae13b008359c054d5e4252844ebdb5aa57 Mon Sep 17 00:00:00 2001
From: Carlton Gibson <carlton.gibson@noumenal.es>
Date: Wed, 2 Oct 2019 13:11:03 +0200
Subject: [PATCH] [2.2.x] Refs #28699 -- Clarified CSRF middleware ordering in
 relation to RemoteUserMiddleware.

Backport of 94469504706b494877b6bb45a979bcb81c7fd7be from master
---
 docs/ref/middleware.txt | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt
index db70a7c14d..99ff001954 100644
--- a/docs/ref/middleware.txt
+++ b/docs/ref/middleware.txt
@@ -458,6 +458,10 @@ Here are some hints about the ordering of various Django middleware classes:
    Before any view middleware that assumes that CSRF attacks have been dealt
    with.
 
+   Before :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`, or any
+   other authentication middleware that may perform a login, and hence rotate
+   the CSRF token, before calling down the middleware chain.
+
    After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.
 
 #. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`