Re: How to call a secure url?

Sun, 20 Apr 2008 22:30:05 -0700 

We ran into a problem where users would either a) not be in SSL mode
when they should be, or b) be *in* SSL mode when they shouldn't be. We
solved it with middleware to make sure that we were always in the
correct mode. Note: the page you are on when filling out a form does
not, technically, have to be in SSL for security (only the form action
needs to be), but it makes the customers feel better if they see that
they are on a secure page. Also, you can *not* do a redirect if you
have POST data -- you will lose it.

We always have our forms submit to the same URL that rendered them.
This simplifies things for error handling. If the submission succeeds,
we redirect to a success page (which is *not* in SSL mode).

  HTH,
  Peter
Ps. If this gets mangled by google, let me know and I'll email it to
you.


You need a list in your settings file that has all of the paths that
must be in SSL mode. E.g.

settings.py:

HTTPS_PATHS = [
     '/login/',
     '/subscribe/',
     '/whatever/',
     ]

And add path.to.middleware.file.HttpsMiddleware to your list of
MIDDLEWARE_CLASSES.

In some file:

class HttpsMiddleware:
    def process_request(self, request):
        try:
            path = request.path # Under certain strange conditions
this failed.
        except:
            return None

        host = request.META.get('HTTP_HOST', '')
        if path in settings.HTTPS_PATHS:
            # path should be https,
            if request.is_secure():
                # and it is.
                return None
            # But it's not. Force the issue.
            # WARNING: this drops any POST data!!
            url = 'https://' + host + request.path
            return HttpResponseRedirect(url)
        elif request.is_secure():
            # It *is* https and it shouldn't be.
            url = 'http://' + host + request.path
            return HttpResponseRedirect(url)
        return None
    # process_request
# class HttpsMiddleware

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to