Django HTTPS and HTTP Sessions

I'm using Django 1.1.1 with the ssl redirect middleware.

Sessions data (authentication etc.) created via HTTPS are not available in the HTTP portions of t开发者_如何学Gohe site.

What is the best way to make it available without having to make the entire site HTTPS?

This is by design, and not something you can readily change.

Cookies/authentication sent via HTTPS are not sent by the browser when the same site is viewed via HTTP. Your best solution is probably to redirect the user from a HTTPS page to a HTTP page that sets your authentication cookie.

Keep in mind that this unauthenticated cookie, sent in plaintext over the wire, opens your users to spoofing and replay attacks. This may not matter for your application.

Been having a similar issue. User iiie on #django IRC pointed me to this setting:

• SESSION_COOKIE_DOMAIN ( https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-domain )

Setting this option to ".domain.com" allowed me to share sessions between HTTP/HTTPS as well as across the domain and hosts/subdomains.

I could imagine a situation where one didn't wan't both of those but it solves my issue for now.