[Django] #32916: CsrfViewMiddleware's request.META["CSRF_COOKIE_USED"] and request.csrf_cookie_needs_reset can be combined

Sat, 10 Jul 2021 09:17:28 -0700 

#32916: CsrfViewMiddleware's request.META["CSRF_COOKIE_USED"] and
request.csrf_cookie_needs_reset can be combined
-------------------------------------+-------------------------------------
               Reporter:  Chris      |          Owner:  Chris Jerdonek
  Jerdonek                           |
                   Type:             |         Status:  assigned
  Cleanup/optimization               |
              Component:  CSRF       |        Version:  dev
               Severity:  Normal     |       Keywords:
           Triage Stage:             |      Has patch:  0
  Unreviewed                         |
    Needs documentation:  0          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  0
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
 In `CsrfViewMiddleware`, `request.META["CSRF_COOKIE_USED"]` and
 `request.csrf_cookie_needs_reset` are both used for the same purpose.
 Namely, they are inspected inside `CsrfViewMiddleware.process_response()`
 to determine whether a cookie should be sent (though the logic in the
 method is currently buggy):
 
https://github.com/django/django/blob/6f60fa97b0b501ef7cc77e16392654bf27ec8db3/django/middleware/csrf.py#L440-L445

 Combining these two things would simplify `CsrfViewMiddleware`. This could
 be done after #32902, which fixes the bugginess mentioned above.

 My suggestion would be to replace both of these with a single
 `request.META` key of `request.META["CSRF_COOKIE_NEEDS_RESET"]`. The
 reason is that the `request.META` dict is more visible and easier to debug
 than a custom request attribute, and it pairs more nicely with
 `request.META["CSRF_COOKIE"]`. Also, using the current key of
 `"CSRF_COOKIE_USED"` would be misleading because there are cases where the
 cookie is queued for reset even if it hasn't been used in the request.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/32916>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/052.d58cb7967cb546ae1333e9f6aa9d0d12%40djangoproject.com.

Reply via email to