[Fixed]-Django: HTTPS for just login page?


Actually, modifying the middleware like so seems to work pretty well:

class SSLRedirect:
    def process_view(self, request, view_func, view_args, view_kwargs):
        if 'SSL' in view_kwargs:
            secure = view_kwargs['SSL']
            del view_kwargs['SSL']
            secure = False
        if request.user.is_authenticated():
            secure = True
        if not secure == self._is_secure(request):
            return self._redirect(request, secure)
    def _is_secure(self, request):
        if request.is_secure():
            return True
        #Handle the Webfaction case until this gets resolved in the request.is_secure()
        if 'HTTP_X_FORWARDED_SSL' in request.META:
            return request.META['HTTP_X_FORWARDED_SSL'] == 'on'
        return False
    def _redirect(self, request, secure):
        protocol = secure and "https://secure" or "http://www"
        newurl = "%s.%s%s" % (protocol,settings.DOMAIN,request.get_full_path())
        if settings.DEBUG and request.method == 'POST':
            raise RuntimeError, \
        """Django can't perform a SSL redirect while maintaining POST data.
           Please structure your views so that redirects only occur during GETs."""
        return HttpResponsePermanentRedirect(newurl)


Better is to secure everything. Half secure seems secure, but is totally not. To put it blank: by doing so you are deceiving your end users by giving them a false sense of security.

So either don’t use ssl or better: use it all the way. The overhead for both server and end user is negligible.

Leave a comment