re-ordering middleware and logon system

settings.py

@@ -126,16 +126,18 @@ INSTALLED_APPS = (
     'troggle.flatpages', # Written by Martin Green 2011. This is NOT django.contrib.flatpages which stores HTML in the database
 )
 
+# See the recommended order of these in https://docs.djangoproject.com/en/2.2/ref/middleware/
 MIDDLEWARE_CLASSES = (
-    'django.middleware.csrf.CsrfViewMiddleware', # Cross Site Request Forgeries by adding hidden form fields to POST
-    'django.middleware.security.SecurityMiddleware', # SECURE_SSL_REDIRECT and SECURE_SSL_HOST
-    'django.contrib.sessions.middleware.SessionMiddleware', # Manages sessions across requests
+    #'django.middleware.security.SecurityMiddleware', # SECURE_SSL_REDIRECT and SECURE_SSL_HOST # we don't use this
+    'django.middleware.gzip.GZipMiddleware', # not needed as expofiles and photos served by apache
+    'django.contrib.sessions.middleware.SessionMiddleware', # Manages sessions, if CSRF_USE_SESSIONS then it needs to be early
     'django.middleware.common.CommonMiddleware', # DISALLOWED_USER_AGENTS, APPEND_SLASH and PREPEND_WWW
+    'django.middleware.csrf.CsrfViewMiddleware', # Cross Site Request Forgeries by adding hidden form fields to POST
     'django.contrib.auth.middleware.AuthenticationMiddleware',  # Adds the user attribute, representing the currently-logged-in user
-    'django.contrib.admindocs.middleware.XViewMiddleware',
-    'django.contrib.messages.middleware.MessageMiddleware', # Cookie-based and session-based message support
+    'django.contrib.admindocs.middleware.XViewMiddleware', # this and docutils needed by admindocs
+    'django.contrib.messages.middleware.MessageMiddleware', # Cookie-based and session-based message support. Needed by admin system
     'django.middleware.clickjacking.XFrameOptionsMiddleware', # clickjacking protection via the X-Frame-Options header
-    'troggle.middleware.SmartAppendSlashMiddleware' # Outdated & unneeded?
+    'troggle.middleware.SmartAppendSlashMiddleware' # 
 )
 
 ROOT_URLCONF = 'troggle.urls'