Django HTTPS and HTTP Sessions

Question

Django HTTPS and HTTP Sessions

I am using Django 1.1.1 with ssl redirect middleware.

Session data (authentication, etc.) created via HTTPS is not available in the HTTP parts of the site.

What is the best way to make it accessible without having to create an entire HTTPS site?

+4

http django https session

Tonyt Dec 9 '09 at 23:21

source share

2 answers

Paul mcmillan · Answer 1 · 2009-12-10T01:10:26+0000

This is by design, not something that you can easily change.

Cookies / authentication sent via HTTPS are not sent by the browser when viewing the same site via HTTP. The best solution is probably to redirect the user from the HTTPS page to the HTTP page that sets your authentication cookie.

Keep in mind that this unauthorized cookie sent in clear text over a wire opens up the possibility for your users to substitute and reuse attacks. This may not matter to your application.

Gringo suave · Answer 2 · 2012-05-24T21:05:12+0000

Has a similar problem. User iiie at #django IRC pointed me to this parameter:

SESSION_COOKIE_DOMAIN ( https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-domain )

Setting this option to ".domain.com" allowed me to exchange sessions between HTTP / HTTPS, as well as between the domain and hosts / subdomains.

I could imagine a situation where no one thought about all of these, but now solves my problem.

Django HTTPS and HTTP Sessions

More articles: