CSRFMiddleware deletes all cookies (including login session) if CSRF checks fail. However that doesn't stop a forged login since there isn't a session cookie yet anyway. The login continues and you are logged in.
Also we have no tests for CSRF functionality.
Log in to post a comment.