Technically yes. From psychological point you need to provide SSL for login screen already so end user gets visual feedback that he's in secure transaction and certificate is validated.
So yes, it should be "secure login" page, that forwards user back to nonsecure pages after login is successful. Gerard kirjoitti: > I think that technically only your form submit should be posted to a SSL > based url and the rest doesn't have to. Which shouldn't be so hard. Just > setup the 'post to' url in the template (under: form action="" ) or define > in the view method where the form is initiated just before rendering. > > Thing I'm wondering about though, when the user/password combi is incorrect > the most secure way would be to simply send the empty form back in the > resulting page, because otherwise a username might be sent back to the > client outside the SSL connect. > > Haven't looked for it yet, but I do want to implement that myself. Lets post > if we find anything :) > > Regards, > > Gerard. > > > > Jani Tiainen wrote: >> I'm trying to get Django to make authentication (namely username + >> password) to be transferred over HTTPS. But rest of the site is still on >> plain old HTTP. >> >> How this can be done? I've very little success and google didn't gave >> much of help either. >> >> I'm using Apache 2.2 with mod_wsgi and I've total control over my >> webserver config. >> > > -- Jani Tiainen --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
