Let me rephrase the issues so that you can tell me if I understand correctly.
There is information which should not be shown to anonymous (not logged in) users. You desire to always use SSL/TLS (https) when showing such information to logged in users. Once a user has logged in then virtually all pages contain such information. You are concerned that a logged in user may perform an access where he has manually modified the https to be http, or, more likely, has used a book mark, or has refreshed another tab or window of the same browser which was originally loaded before the user logged in. In this case, since all of these windows/tabs will share the same session cookie, request.user.is_authenticated() will be true (thought request.is_secure() will be False), and secure information will be shown over an insecure channel. The simplest answer is to require all accesses (with the possible exception of favicon.ico and robots.txt) be made by way of https. This is easily done in apache using mod_rewrite. The directives applying to port 80 and tose to port 443 are easily separated, and all (or nearly all) requests arriving on port 80 can be redirected to the same path but using https. But if you must display certain pages via http to anonymous users, you can use the combination request.user.is_authenticated() and not request.is_secure() to trigger a redirect in Django, probably from request middleware. Make sure that you are using a new enough Django the request.is_secure() with apache mod_wsgi is reliable (the last bug I know about was fixed in 2007 -- just be sure to test it with your apache/mod_wsgi configuration) More exotic, since mod_rewrite can't tell from the session cookie whether the user is logged in, would be to add a cookie indicating whether the user is logged in (probably in response middleware), which mod_write can use in a condition to force the redirect. The truly malicious can modify their cookies, so I would back stop this with the request middlware solution of the previous paragraph, but when mod_rewrite manages to do the redirect it will have a smaller performance impact (no setting up of the Django request object, looking up the session key, etc.). Bill On Tue, Feb 12, 2013 at 2:16 AM, Alagappan <ralagappan2...@gmail.com> wrote: > Hi, > > In my website, I have a few http pages and a few https pages. > > The session cookie has been made secure=True and once a customer logs in > to the site, we keep all pages as https. > > But if the customer manually changes the URL to http, Django's > user.is_authenticated method returns False and hence is shown some content > that is to be shown for an anonymous user. > > Is there a way I can redirect logged in customers to https pages even if > he/she manually changes the URL. This can either be at the project level or > in server level. > > I am using Apache/mod_wsgi to run my website. > > I hope I have worded my query in a clear manner. Please let me know if I > need to provide further details. > > Thanks, > Alagappan > > > > -- > Thanks & Regards, > Alagappan Ramu > +91 9840 143 620 > > http://about.me/alagappanr > > NIT Trichy <http://www.nitt.edu/> | Global Analytics India Pvt > Ltd<http://global-analytics.com/> > > > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To post to this group, send email to django-users@googlegroups.com. > Visit this group at http://groups.google.com/group/django-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
