Django HTTPS设置:为什么同时设置SESSION_SAVE_EVERY_REQUEST和SESSION_COOKIE_SECURE中断会话? [英] Django HTTPS settings: Why does setting both SESSION_SAVE_EVERY_REQUEST and SESSION_COOKIE_SECURE break sessions?
问题描述
我试图将我的django应用程序锁定到仅HTTPS访问。如果只有SESSION_SAVE_EVERY_REQUEST为True或者只有SESSION_COOKIE_SECURE为True,但如果在我的设置中都为True,则request.session将变为空白,从而在整个网站上破坏用户身份验证。
I'm trying to lock my django app down to only HTTPS access. Everything seems to work fine if only SESSION_SAVE_EVERY_REQUEST is True or if only SESSION_COOKIE_SECURE is True, but if both are True in my settings, then request.session becomes blank, breaking user authentication across the site.
我认为这是因为我有HTTP请求重定向到HTTPS,但是在他们这样做之前触发会话保存,并且与匿名用户创建一个新的重写sessionid,因为HTTP请求不发送很好的sessionid cookie。我看到这是因为登录表单提交返回一个sessionid cookie,但是从http:... / home到https:... / home的重定向返回一个新的sessionid cookie值,然后使用该值。
I'm thinking this is because I have HTTP requests that redirect to HTTPS but trigger a session save before they do so, and that creates a new, overriding sessionid with an anonymous user because that HTTP request doesn't send the good sessionid cookie. I see this because the login form submission returns one sessionid cookie, but the redirection from http:.../home to https:.../home returns a new sessionid cookie value which is used from then on.
我可能会删除SESSION_SAVE_EVERY_REQUEST,但我想尝试保留该功能,这些http重定向无论如何都是浪费的。
I might be fine removing SESSION_SAVE_EVERY_REQUEST, but I'd like try to keep that functionality, and these http redirects are wasteful anyways.
首先,我尝试在我的wsgi.py中添加以下内容,看到这个问题 - https://security.stackexchange.com/questions/8964/trying-to-make -a-django-based-site-use-https-only-not-sure-if-it-secure
First I tried adding the below in my wsgi.py from seeing this question - https://security.stackexchange.com/questions/8964/trying-to-make-a-django-based-site-use-https-only-not-sure-if-its-secure
if not os.environ.get('DEVELOPMENT'):
os.environ['HTTPS'] = 'on'
os.environ['wsgi.url_scheme'] = 'https'
但是django.shortcuts.redirect('/')和django.contrib.auth.decorators.login_required仍然重定向到http而不是https,所以这很困惑...
But django.shortcuts.redirect('/') and django.contrib.auth.decorators.login_required still redirect with http instead of https after that, so that's very confusing...
如果这不是正确的方式,那么我唯一的其他想法是SESSION_SAVE_EVERY_REQUEST的自定义实现只对HTTPS请求执行。有没有人尝试过?
If that's not the right way, then my only other thought is a custom implementation of SESSION_SAVE_EVERY_REQUEST that only performs on HTTPS requests. Has anyone tried that before?
推荐答案
找到它!我需要设置一个设置来说服django我真的在https,即使我隐藏在nginx后面:
Found it! I needed to set a setting to convince django that I am really on https even though I'm hiding behind nginx:
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
参考: https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy -ssl-header
这篇关于Django HTTPS设置:为什么同时设置SESSION_SAVE_EVERY_REQUEST和SESSION_COOKIE_SECURE中断会话?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
