Wednesday, October 31, 2012

Re: Posting from HTTP to HTTPS on same domain results in CSRF failure

Django does strict referrer checking[1] which includes checking the scheme (HTTP vs. HTTPS). Like the others, I suggest you serve the whole site over HTTPS and forward HTTP traffic to the appropriate HTTPS URLs.

-David


[1] https://docs.djangoproject.com/en/1.4/ref/contrib/csrf/#how-it-works
[1] https://github.com/django/django/blob/master/django/middleware/csrf.py#L147

On Wednesday, October 31, 2012 9:36:42 AM UTC-7, Kevin wrote:

I am using analytics.  Hmm.  I hoped that there was a django setting I may have missed somewhere.  I'll tackle it in a few hours and post my findings and/or solution to help others with a similar issue.  If there are any other suggestions as well I'm open to more ideas.

On Oct 31, 2012 10:08 AM, "kahara" <joni....@gmail.com> wrote:
Perhaps this could be fixed by simply redirecting all HTTP requests to HTTPS? Also, if you're using Analytics and your visitor comes in from an encrypted (Google) search page, then your Analytics will fail as the referer header will not contain search terms if the search hit is non-HTTPS.


    Joni


keskiviikko, 31. lokakuuta 2012 15.41.11 UTC+2 Kevin kirjoitti:

I did this approach before and it seems to break Google Search results. :(  I do want users to use the site and find me easily after all.

On Oct 31, 2012 6:24 AM, "Mike Dewhirst" <mi...@dewhirst.com.au> wrote:
On 31/10/2012 7:21pm, Kevin wrote:
Hello everyone,

   I am in the process of deploying a Django app which works both on
HTTP and HTTPS connections, and require that some specific forms only
submit via HTTPS.  I want the transition process over to HTTPS to be
seamless for the end-user.  I am implementing this on a site-wide login
form.

   Are there any workarounds for this or any middleware I can create to
allow same domain HTTP to HTTPS transition without worrying about CSRF
tokens being declined?  To ensure it wasn't a stale cookie issue, I just
cleared my cookies before posting this.

   The csrf cookie is allowed for any connection, according to Firefox's
cookie viewer, so shouldn't this mean that the cookie will be accepted
over HTTPS?

Is there any reason you can't make the entire site https?

Ought to solve the problem. And my understanding is that https everywhere is a reasonable approach nowadays.



Thanks in advance.

Django version is 1.4 branch.

--
You received this message because you are subscribed to the Google
Groups "Django users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/django-users/-/AR9a9jddb_QJ.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to
django-users...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/Omd3okIZKIwJ.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/ROfYF78ljy0J.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

No comments:

Post a Comment