On Tue, Feb 3, 2015 at 11:52 AM, Aymeric Augustin <aymeric.augustin.2...@polytechnique.org> wrote: > You can fix that problem by saving some authentication info in the user's > session, most likely with a custom auth backend — see django-sesame for an > example of how to do this. Then redirect immediately to an URL that doesn't > contain the nonce. Of course all this must happen over HTTPS to reduce the > likelihood of leaving the nonce in the logs of various caches or reverse > proxies.
My application is 100% over HTTPS, HTTP traffic is not allowed. Thanks for these pointers. This may not work exactly for me, but it certainly is something interesting to think about. I'll look into it more. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CADhq2b6SXqY78qiNdB7BkAQUcBHzAFUON%3DY69mEddu6Q55SWdg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
