Wednesday, October 31, 2012

Re: Posting from HTTP to HTTPS on same domain results in CSRF failure

On 31/10/2012 7:21pm, Kevin wrote:
> Hello everyone,
>
> I am in the process of deploying a Django app which works both on
> HTTP and HTTPS connections, and require that some specific forms only
> submit via HTTPS. I want the transition process over to HTTPS to be
> seamless for the end-user. I am implementing this on a site-wide login
> form.
>
> Are there any workarounds for this or any middleware I can create to
> allow same domain HTTP to HTTPS transition without worrying about CSRF
> tokens being declined? To ensure it wasn't a stale cookie issue, I just
> cleared my cookies before posting this.
>
> The csrf cookie is allowed for any connection, according to Firefox's
> cookie viewer, so shouldn't this mean that the cookie will be accepted
> over HTTPS?

Is there any reason you can't make the entire site https?

Ought to solve the problem. And my understanding is that https
everywhere is a reasonable approach nowadays.


>
> Thanks in advance.
>
> Django version is 1.4 branch.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/django-users/-/AR9a9jddb_QJ.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to
> django-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-users?hl=en.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

No comments:

Post a Comment