Checklist

• I have verified that that issue exists against the master branch of Django REST framework.
• I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• This is not a usage question. (Those should be directed to the discussion group instead.)
• This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
• I have reduced the issue to the simplest possible case.
• I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Steps to reproduce

• use Django~=1.11.6 (the issue does not happen with 1.10 or earlier 1.11s. I haven't tested with 2.x)
• use session auth and have a valid csrf_token cookie
• do a POST/PUT request using a DRF API

Expected behavior

Get a successful response.

Actual behavior

We get this returned:

{"detail":"CSRF Failed: CSRF cookie not set."}

What's going on

It looks like SessionAuthentication.enforce_csrf uses CSRFCheck which is a thin subclass of CSRFViewMiddleware.

In django 1.11.6 this change was made in CSRFViewMiddleware: django/django@4284732

(full code for django 1.11.x in that file)

It is clear that the process_view method expects request.META['CSRF_COOKIE'] to be populated. But it is now not done in the body of process_view but earlier in the middleware processing, in the process_request call.

This works fine when called as a middleware, but when process_view is called independently/directly as DRF does, this breaks and rejects the request since it couldn't find the cookie.

This could be considered a Django bug, though in normal django usage it works okay because process_request is called before process_view. Maybe DRF should call both?