Thanks for that Euan. Steven, you say you have login on SSL and then have the cookie passed over unencrypted channel for the rest of the site. Is there any risk with this or mitigating steps that should be taken?
(Sorry ... don't have my head around it) ALJ On 1 July, 15:20, steven314 <stevenredtrous...@gmail.com> wrote: > It's a very common pattern to use SSL for login and private profile > details and then have the cookie passed over an unencrypted channel > for the rest of the site. > > I have implemented an approach where nginx handles all the SSL and > proxies requests to apache (which directly serves non-SSL requests). > Transitions between SSL and non-SSL are achieved with rewrites at the > nginx and apache level, which also means that SSL can be made optional > on, say, the admin URLs. > > This breaks request.is_secure() as it stands but this is easy to work > around. > > Bear in mind that IE may give you loud warnings about insecure content > if you don't also adjust the MEDIA_URL to use SSL where > appropriate. > > Steven. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
