Django caching causes CSRF violations

Question

My website uses django-registration for login/signup. Recently I introduced some cache middleware and it resulted in CSRF violations when attempting to do back-to-back new users sign-ups.

Here is the middleware statement from my settings.py:

MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.cache.UpdateCacheMiddleware',          <------
'django.middleware.locale.LocaleMiddleware',
'linaro_django_pagination.middleware.PaginationMiddleware',
'django.middleware.cache.FetchFromCacheMiddleware',       <------
'djangobb_forum.middleware.LastLoginMiddleware',
'djangobb_forum.middleware.UsersOnline',
'djangobb_forum.middleware.TimezoneMiddleware',

)

Not sure if this is a real problem or not. Does the order of the middleware statements matter?

It seems there must be a way for CSRF and Cache middleware to co-exist. Currently I removed the cache middleware.

Answer 1

According to https://docs.djangoproject.com/en/1.8/topics/cache/#the-per-site-cache :

Once the cache is set up, the simplest way to use caching is to cache your entire site. You’ll need to add 'django.middleware.cache.UpdateCacheMiddleware' and 'django.middleware.cache.FetchFromCacheMiddleware' to your MIDDLEWARE_CLASSES setting, as in this example:

MIDDLEWARE_CLASSES = (
    'django.middleware.cache.UpdateCacheMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.cache.FetchFromCacheMiddleware',
)

Note

No, that’s not a typo: the “update” middleware must be first in the list, and the “fetch” middleware must be last. The details are a bit obscure, but see Order of MIDDLEWARE_CLASSES below if you’d like the full story.

Not sure if that helps, though.