It's a very common pattern to use SSL for login and private profile details and then have the cookie passed over an unencrypted channel for the rest of the site.
I have implemented an approach where nginx handles all the SSL and proxies requests to apache (which directly serves non-SSL requests). Transitions between SSL and non-SSL are achieved with rewrites at the nginx and apache level, which also means that SSL can be made optional on, say, the admin URLs. This breaks request.is_secure() as it stands but this is easy to work around. Bear in mind that IE may give you loud warnings about insecure content if you don't also adjust the MEDIA_URL to use SSL where appropriate. Steven. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
