Re: Posting from HTTP to HTTPS on same domain results in CSRF failure

2012-10-31 Thread Kevin Veroneau 
I did this approach before and it seems to break Google Search results. :(
I do want users to use the site and find me easily after all.
On Oct 31, 2012 6:24 AM, "Mike Dewhirst"  wrote:

> On 31/10/2012 7:21pm, Kevin wrote:
>
>> Hello everyone,
>>
>>I am in the process of deploying a Django app which works both on
>> HTTP and HTTPS connections, and require that some specific forms only
>> submit via HTTPS.  I want the transition process over to HTTPS to be
>> seamless for the end-user.  I am implementing this on a site-wide login
>> form.
>>
>>Are there any workarounds for this or any middleware I can create to
>> allow same domain HTTP to HTTPS transition without worrying about CSRF
>> tokens being declined?  To ensure it wasn't a stale cookie issue, I just
>> cleared my cookies before posting this.
>>
>>The csrf cookie is allowed for any connection, according to Firefox's
>> cookie viewer, so shouldn't this mean that the cookie will be accepted
>> over HTTPS?
>>
>
> Is there any reason you can't make the entire site https?
>
> Ought to solve the problem. And my understanding is that https everywhere
> is a reasonable approach nowadays.
>
>
>
>> Thanks in advance.
>>
>> Django version is 1.4 branch.
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Django users" group.
>> To view this discussion on the web visit
>> https://groups.google.com/d/**msg/django-users/-/AR9a9jddb_**QJ
>> .
>> To post to this group, send email to django-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> django-users+unsubscribe@**googlegroups.com
>> .
>> For more options, visit this group at
>> http://groups.google.com/**group/django-users?hl=en
>> .
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to django-users+unsubscribe@**
> googlegroups.com .
> For more options, visit this group at http://groups.google.com/**
> group/django-users?hl=en
> .
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Posting from HTTP to HTTPS on same domain results in CSRF failure

2012-10-31 Thread Kevin Veroneau 
I am using analytics.  Hmm.  I hoped that there was a django setting I may
have missed somewhere.  I'll tackle it in a few hours and post my findings
and/or solution to help others with a similar issue.  If there are any
other suggestions as well I'm open to more ideas.
On Oct 31, 2012 10:08 AM, "kahara"  wrote:

> Perhaps this could be fixed by simply redirecting all HTTP requests to
> HTTPS? Also, if you're using Analytics and your visitor comes in from an
> encrypted (Google) search page, then your Analytics will fail as the
> referer header will not contain search terms if the search hit is non-HTTPS.
>
>
> Joni
>
>
> keskiviikko, 31. lokakuuta 2012 15.41.11 UTC+2 Kevin kirjoitti:
>>
>> I did this approach before and it seems to break Google Search results.
>> :(  I do want users to use the site and find me easily after all.
>> On Oct 31, 2012 6:24 AM, "Mike Dewhirst"  wrote:
>>
>>> On 31/10/2012 7:21pm, Kevin wrote:
>>>
 Hello everyone,

I am in the process of deploying a Django app which works both on
 HTTP and HTTPS connections, and require that some specific forms only
 submit via HTTPS.  I want the transition process over to HTTPS to be
 seamless for the end-user.  I am implementing this on a site-wide login
 form.

Are there any workarounds for this or any middleware I can create to
 allow same domain HTTP to HTTPS transition without worrying about CSRF
 tokens being declined?  To ensure it wasn't a stale cookie issue, I just
 cleared my cookies before posting this.

The csrf cookie is allowed for any connection, according to Firefox's
 cookie viewer, so shouldn't this mean that the cookie will be accepted
 over HTTPS?

>>>
>>> Is there any reason you can't make the entire site https?
>>>
>>> Ought to solve the problem. And my understanding is that https
>>> everywhere is a reasonable approach nowadays.
>>>
>>>
>>>
 Thanks in advance.

 Django version is 1.4 branch.

 --
 You received this message because you are subscribed to the Google
 Groups "Django users" group.
 To view this discussion on the web visit
 https://groups.google.com/d/**ms**g/django-users/-/AR9a9jddb_**QJ
 .
 To post to this group, send email to django...@googlegroups.com.
 To unsubscribe from this group, send email to
 django-users...@**googl**egroups.com.
 For more options, visit this group at
 http://groups.google.com/**group**/django-users?hl=en
 .

>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django users" group.
>>> To post to this group, send email to django...@googlegroups.com.
>>> To unsubscribe from this group, send email to django-users...@**googl**
>>> egroups.com.
>>> For more options, visit this group at http://groups.google.com/**group**
>>> /django-users?hl=en .
>>>
>>>   --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/django-users/-/Omd3okIZKIwJ.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to
> django-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-users?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.