[3.0.x] Refs #28699 -- Clarified CSRF middleware ordering in relation to RemoteUserMiddleware.

Backport of 9446950470 from master
2025-08-03 02:23:12 +00:00 · 2019-10-02 13:11:03 +02:00 · 2019-10-02 13:11:03 +02:00 · b0b98fcacf
commit b0b98fcacf
parent 516200c09e
1 changed files with 4 additions and 0 deletions
--- a/docs/ref/middleware.txt
+++ b/docs/ref/middleware.txt
@ -557,6 +557,10 @@ Here are some hints about the ordering of various Django middleware classes:
   Before any view middleware that assumes that CSRF attacks have been dealt
   with.

+   Before :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`, or any
+   other authentication middleware that may perform a login, and hence rotate
+   the CSRF token, before calling down the middleware chain.
+
   After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.

 #. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`