Django HTTPS和HTTP会话 [英] Django HTTPS and HTTP Sessions

问题描述

通过HTTPS创建的会话数据（身份验证等）在HTTP部分中不可用该网站。

什么是使其可用的最佳方法，而不必使整个网站HTTPS？

解决方案

这是设计而不是你可以随便改变的东西。

请记住，此未经身份验证的Cookie以明文形式发送电线，打开您的用户欺骗和重播攻击。这可能与您的申请无关。

I'm using Django 1.1.1 with the ssl redirect middleware.

Sessions data (authentication etc.) created via HTTPS are not available in the HTTP portions of the site.

What is the best way to make it available without having to make the entire site HTTPS?

解决方案

This is by design, and not something you can readily change.

Cookies/authentication sent via HTTPS are not sent by the browser when the same site is viewed via HTTP. Your best solution is probably to redirect the user from a HTTPS page to a HTTP page that sets your authentication cookie.

Keep in mind that this unauthenticated cookie, sent in plaintext over the wire, opens your users to spoofing and replay attacks. This may not matter for your application.

这篇关于Django HTTPS和HTTP会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！