... having looked through the django documentation, would I be right in thinking that the protocol is to have a secure login page where the session cookie is set, drop out of secure connection, but continue to pass cookies over the secure connection, leaving the pages themselves to be served over unsecured connection?
So I should be looking at SESSION_COOKIE_SECURE (http:// docs.djangoproject.com/en/dev/topics/http/sessions/)? ALJ On Jul 1, 10:32 pm, ALJ <astley.lejas...@gmail.com> wrote: > Thanks for that Euan. > > Steven, you say you have login on SSL and then have the cookie passed > over unencrypted channel for the rest of the site. Is there any risk > with this or mitigating steps that should be taken? > > (Sorry ... don't have my head around it) > > ALJ > > On 1 July, 15:20, steven314 <stevenredtrous...@gmail.com> wrote: > > > It's a very common pattern to use SSL for login and private profile > > details and then have the cookie passed over an unencrypted channel > > for the rest of the site. > > > I have implemented an approach where nginx handles all the SSL and > > proxies requests to apache (which directly serves non-SSL requests). > > Transitions between SSL and non-SSL are achieved with rewrites at the > > nginx and apache level, which also means that SSL can be made optional > > on, say, the admin URLs. > > > This breaks request.is_secure() as it stands but this is easy to work > > around. > > > Bear in mind that IE may give you loud warnings about insecure content > > if you don't also adjust the MEDIA_URL to use SSL where > > appropriate. > > > Steven. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
