I'm sorry I don't have a solution for you. However I have a warning/recommendation.
Even if you don't serve the full site over https, you should make sure that forms that submit data over HTTPS are served over HTTPS. Otherwise you make it difficult for users to verify that their data (credentials etc.) will be submitted over a secure channel (and to verify certs prior to submitting form data etc.)
On the plus side, if you serve forms over HTTPS (not only submit responses), it'll automatically solve your CSRF token problem.
HTH
Jirka
From: Kevin <kveroneau@gmail.com>
Sender: django-users@googlegroups.com
Date: Wed, 31 Oct 2012 01:21:33 -0700 (PDT)
To: <django-users@googlegroups.com>
ReplyTo: django-users@googlegroups.com
Subject: Posting from HTTP to HTTPS on same domain results in CSRF failure
I am in the process of deploying a Django app which works both on HTTP and HTTPS connections, and require that some specific forms only submit via HTTPS. I want the transition process over to HTTPS to be seamless for the end-user. I am implementing this on a site-wide login form.
Are there any workarounds for this or any middleware I can create to allow same domain HTTP to HTTPS transition without worrying about CSRF tokens being declined? To ensure it wasn't a stale cookie issue, I just cleared my cookies before posting this.
The csrf cookie is allowed for any connection, according to Firefox's cookie viewer, so shouldn't this mean that the cookie will be accepted over HTTPS?
Thanks in advance.
Django version is 1.4 branch.
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/AR9a9jddb_QJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment