Re: Posting from HTTP to HTTPS on same domain results in CSRF failure

Wed, 31 Oct 2012 07:18:27 -0700 

Hi there,

  I'm sorry I don't have a solution for you. However I have a 
warning/recommendation.

  Even if you don't serve the full site over https, you should make sure that 
forms that submit data over HTTPS are served over HTTPS. Otherwise you make it 
difficult for users to verify that their data (credentials etc.) will be 
submitted over a secure channel (and to verify certs prior to submitting form 
data etc.)

  On the plus side, if you serve forms over HTTPS (not only submit responses), 
it'll automatically solve your CSRF token problem.

  HTH

    Jirka
-----Original Message-----
From: Kevin <[email protected]>
Sender: [email protected]
Date: Wed, 31 Oct 2012 01:21:33 
To: <[email protected]>
Reply-To: [email protected]
Subject: Posting from HTTP to HTTPS on same domain results in CSRF failure

Hello everyone,

  I am in the process of deploying a Django app which works both on HTTP 
and HTTPS connections, and require that some specific forms only submit via 
HTTPS.  I want the transition process over to HTTPS to be seamless for the 
end-user.  I am implementing this on a site-wide login form.

  Are there any workarounds for this or any middleware I can create to 
allow same domain HTTP to HTTPS transition without worrying about CSRF 
tokens being declined?  To ensure it wasn't a stale cookie issue, I just 
cleared my cookies before posting this.

  The csrf cookie is allowed for any connection, according to Firefox's 
cookie viewer, so shouldn't this mean that the cookie will be accepted over 
HTTPS?

Thanks in advance.

Django version is 1.4 branch.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/django-users/-/AR9a9jddb_QJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.


-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Reply via email to