Django does strict referrer checking[1] which includes checking the scheme (HTTP vs. HTTPS). Like the others, I suggest you serve the whole site over HTTPS and forward HTTP traffic to the appropriate HTTPS URLs.
-David [1] https://docs.djangoproject.com/en/1.4/ref/contrib/csrf/#how-it-works [1] https://github.com/django/django/blob/master/django/middleware/csrf.py#L147 On Wednesday, October 31, 2012 9:36:42 AM UTC-7, Kevin wrote: > > I am using analytics. Hmm. I hoped that there was a django setting I may > have missed somewhere. I'll tackle it in a few hours and post my findings > and/or solution to help others with a similar issue. If there are any > other suggestions as well I'm open to more ideas. > On Oct 31, 2012 10:08 AM, "kahara" <joni....@gmail.com <javascript:>> > wrote: > >> Perhaps this could be fixed by simply redirecting all HTTP requests to >> HTTPS? Also, if you're using Analytics and your visitor comes in from an >> encrypted (Google) search page, then your Analytics will fail as the >> referer header will not contain search terms if the search hit is non-HTTPS. >> >> >> Joni >> >> >> keskiviikko, 31. lokakuuta 2012 15.41.11 UTC+2 Kevin kirjoitti: >>> >>> I did this approach before and it seems to break Google Search results. >>> :( I do want users to use the site and find me easily after all. >>> On Oct 31, 2012 6:24 AM, "Mike Dewhirst" <mi...@dewhirst.com.au> wrote: >>> >>>> On 31/10/2012 7:21pm, Kevin wrote: >>>> >>>>> Hello everyone, >>>>> >>>>> I am in the process of deploying a Django app which works both on >>>>> HTTP and HTTPS connections, and require that some specific forms only >>>>> submit via HTTPS. I want the transition process over to HTTPS to be >>>>> seamless for the end-user. I am implementing this on a site-wide login >>>>> form. >>>>> >>>>> Are there any workarounds for this or any middleware I can create to >>>>> allow same domain HTTP to HTTPS transition without worrying about CSRF >>>>> tokens being declined? To ensure it wasn't a stale cookie issue, I >>>>> just >>>>> cleared my cookies before posting this. >>>>> >>>>> The csrf cookie is allowed for any connection, according to >>>>> Firefox's >>>>> cookie viewer, so shouldn't this mean that the cookie will be accepted >>>>> over HTTPS? >>>>> >>>> >>>> Is there any reason you can't make the entire site https? >>>> >>>> Ought to solve the problem. And my understanding is that https >>>> everywhere is a reasonable approach nowadays. >>>> >>>> >>>> >>>>> Thanks in advance. >>>>> >>>>> Django version is 1.4 branch. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Django users" group. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/**ms**g/django-users/-/AR9a9jddb_**QJ<https://groups.google.com/d/msg/django-users/-/AR9a9jddb_QJ> >>>>> . >>>>> To post to this group, send email to django...@googlegroups.com. >>>>> To unsubscribe from this group, send email to >>>>> django-users...@**googl**egroups.com. >>>>> For more options, visit this group at >>>>> http://groups.google.com/**group**/django-users?hl=en<http://groups.google.com/group/django-users?hl=en> >>>>> . >>>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Django users" group. >>>> To post to this group, send email to django...@googlegroups.com. >>>> To unsubscribe from this group, send email to django-users...@**googl** >>>> egroups.com. >>>> For more options, visit this group at http://groups.google.com/**group* >>>> */django-users?hl=en<http://groups.google.com/group/django-users?hl=en> >>>> . >>>> >>>> -- >> You received this message because you are subscribed to the Google Groups >> "Django users" group. >> To view this discussion on the web visit >> https://groups.google.com/d/msg/django-users/-/Omd3okIZKIwJ. >> To post to this group, send email to django...@googlegroups.com<javascript:> >> . >> To unsubscribe from this group, send email to >> django-users...@googlegroups.com <javascript:>. >> For more options, visit this group at >> http://groups.google.com/group/django-users?hl=en. >> > -- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/ROfYF78ljy0J. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
