I have an extranet for staff and known partners. It has absolutely no public content. I've installed SSL so it should be secure, but I also heard that SSL can have a big impact on the server.
While login and password changes need to be secure, the content itself is not particularly sensitive. But actions and views will be user specific, therefore users will need to be logged in at all times. Given the above, I was wondering if it is necessary to use SSL at all times or is possible to use it only for login? Presumably if I dropped out of SSL after login, the cookies would still be vulnerable to hijacking. My gut feel is that I have to use SSL all the time and just accept the hit on the server, but I wondered there were any django tools (CSRF protection) or best practices anyone has on managing the balance of SSL and the impact on the server. - Are they passing logins and passowords? Yes, then SSL - Is the content sensitive (like bank details or commercial stuff) ? If yes then SSL. - Are the content and actions user specific? If yes then SSL. ALJ -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
