开发者

Django named URLs and HTTPS/SSL

I'm currently working on securing my Django website with SSL. I'd like certain URL patterns to be accessible only via HTTPS. The single most important thing to do is to secure the login site. There is this form where user inputs their login/password into a form and the form is POSTed to the server. In the login page template I have something like

<form method="POST" action="{% url login %}">

and in my urls.py one of the patterns is something like

    url(r'^login/$', 'mySiteLogin', name='login'),

Now I've found s开发者_运维问答ome resources suggesting that I should use a middleware that will rewrite http to https, for example this: Django relative urls and https. But logging in cannot be done this way - it's no use to rewrite the protocol when the user has already POSTed their password in plaintext!

So I'm thinking, can I somehow tell {% url %} to use https? I'm thinking of a solution that will use a decorator to mark views that require encryption and then some tag similar to {% url %} will use this info and create a link with https when required.

Or is there some other way?

Thanks,

Mike


But logging in cannot be done this way - it's no use to rewrite the protocol when the user has already POSTed their password in plaintext!

Just serve the login page itself over HTTPS. This seems to be a good idea in general.

“By January 5, it was clear that an entire country’s worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades.”—which is why you shouldn’t serve your login form over HTTP even though it POSTs over HTTPS.

http://simonwillison.net/2011/Jan/24/

In a nutshell, ISPs from Tunisia injected malicious JavaScript code into the login pages of Facebook to steal user logins.


Maybe you should instead look at middleware solutions that does redirection between HTTP and HTTPS. One example: http://djangosnippets.org/snippets/85/

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜