Wednesday, October 31, 2012

Posting from HTTP to HTTPS on same domain results in CSRF failure

Hello everyone,

  I am in the process of deploying a Django app which works both on HTTP and HTTPS connections, and require that some specific forms only submit via HTTPS.  I want the transition process over to HTTPS to be seamless for the end-user.  I am implementing this on a site-wide login form.

  Are there any workarounds for this or any middleware I can create to allow same domain HTTP to HTTPS transition without worrying about CSRF tokens being declined?  To ensure it wasn't a stale cookie issue, I just cleared my cookies before posting this.

  The csrf cookie is allowed for any connection, according to Firefox's cookie viewer, so shouldn't this mean that the cookie will be accepted over HTTPS?

Thanks in advance.

Django version is 1.4 branch.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/AR9a9jddb_QJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

No comments:

Post a Comment