On Wed, 2011-02-23 at 15:23 -0800, Jonas Obrist wrote: > Well writing a middleware in my app or decorating all views seems a > little hacky/unclean to me too. > > In our specific use case, the django CMS the graceful degrading is > done through the admin, our so called frontend editing is heavily > javascript and AJAX base, without HTML forms. therefore we have a lot > of problems now Django (correctly) checks for the CSRF header in AJAX > request. to make this backwards incompatibility easier for developers > to adopt, always sending the cookie would be the right thing to do, in > my opinion.
Sorry, I forgot to continue this conversation. I'm quite happy to entertain the idea that the CSRF middleware should always set the CSRF cookie, but would like to know what other devs think. The main consequence I can think of is this: If a page has 'Vary: Cookie' sent in the headers, and was not previously sending cookies, the new cookie being sent will cause different cache behaviour i.e. it won't be cached internally in Django or in other caches. This is a significant enough performance consideration to make me hesitate, but Jonas' arguments about ease of use for people using AJAX are also significant. If we change it, do we want to change it before the 1.3 release? And backport it to 1.2.X? Luke -- "Because Your lovingkindness is better than life, My lips shall praise You." (Ps 63:3) Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.