Re: how to use HTTPS with django

[Melvyn Sopacua]

On 6-7-2012 8:08, heni yemun wrote:

> I want to know how to use HTTPS to securely login and signup a user with
> django.

Django doesn't care about HTTPS. You'd handle this in the webserver by
redirecting to the secure virtual host for the login url. How to
implement that is webserver specific.

> I'd also like you to tell me how to attach extra information to the
> standard User object. The reference provided doesnot seem to be detailed
> enough to implement. THANK YOU!

It's plenty documented:
<https://docs.djangoproject.com/en/1.4/topics/auth/#storing-additional-information-about-users>

What do you think is missing?
--
Melvyn Sopacua

[John DeRosa]

On Jul 6, 2012, at 4:24 AM, Melvyn Sopacua wrote:

> On 6-7-2012 8:08, heni yemun wrote:
>
>> I want to know how to use HTTPS to securely login and signup a user with
>> django.
>
> Django doesn't care about HTTPS. You'd handle this in the webserver by
> redirecting to the secure virtual host for the login url. How to
> implement that is webserver specific.

One of the many ways to handle this is to terminate SSL/TLS in the load balancer, and have the balancer send all requests as HTTP to the web servers running Django (and httpd or whathaveyou) behind it.

John

[Timothy Makobu]

For secure logins, this helps https://docs.djangoproject.com/en/dev/topics/http/sessions/?from=olddocs/#session-cookie-secure

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

[Melvyn Sopacua]

On 7-7-2012 5:05, Timothy Makobu wrote:
> For secure logins, this helps
> https://docs.djangoproject.com/en/dev/topics/http/sessions/?from=olddocs/#session-cookie-secure
>

No it doesn't. That is for secure /sessions/, which means that if you
use this during the login process then the session is created on the
HTTPS connection and only /valid/ on the HTTPS connection. In other
words, if you set this flag the scenario of having an unencrypted site
with an encrypted login procedure is impossible.

--
Melvyn Sopacua

[Timothy Makobu]

" I want to know how to use HTTPS to securely login ..." which satisfies the first part of the question. This way it wont be possible to login without HTTPS enabled for the project.

[Melvyn Sopacua]

On 7-7-2012 10:27, Timothy Makobu wrote:
> " I want to know how to use HTTPS to securely login ..." which satisfies
> the first part of the question. This way it wont be possible to login
> without HTTPS enabled for the project.

What use is logging in if you're logged out the minute the connection
becomes unencrypted?

--
Melvyn Sopacua

[Timothy Makobu]

I would think he would have areas that need to be logged in to all SSL. He already has the cert for SSL logins, and its prudent these days to have such apps all SSL, with tools making it straight forward to lift unencrypted traffic off a network.

--
Melvyn Sopacua

[Thomas Orozco]

This comes down to a simple middleware that intercepts http requests and redirects them to https. This is very to do in django.

You can find plenty of such middleware on djangosnippets.

Now, if your app is running behind a reverse proxy (e.g. nginx + gunicorn) ,  things get a little bit more complicated as your proxy needs to tell the django app whether the request was originally https of http.

This is easy to do, but not very well documented in django. Look at the settings reference for the appropriate ones.

Alternatively,  you could achieve the same thing at webserver level. But having worked with both setups, using a middleware is a lot easier to setup.

Now, you might find doing it at webserver level more appropriate, that's a matter of personal preference.

[John Yeukhon Wong]

I agree, but I think at the web server level is much better. Middlewares can break if Django core changes a lot, and since they are third-party hack code, so unless you are confident how to maintain it yourself, don't use them. Apache, Nginx configurations are widely used so they are easier to get help nowadays. That is not to say that many middlewares I've seen over the years are bad. I've used a few of those on snippets :) They are great.

And for many people, there is usually more than one Django site, or multiple applications deploy (custom backend, etc) which run as HTTP services too. So enabling SSL at server level is a lot easier to maintain.

On Sunday, July 8, 2012 5:47:01 AM UTC-4, Thomas Orozco wrote:

This comes down to a simple middleware that intercepts http requests and redirects them to https. This is very to do in django.

You can find plenty of such middleware on djangosnippets.

Now, if your app is running behind a reverse proxy (e.g. nginx + gunicorn) ,  things get a little bit more complicated as your proxy needs to tell the django app whether the request was originally https of http.

This is easy to do, but not very well documented in django. Look at the settings reference for the appropriate ones.

Alternatively,  you could achieve the same thing at webserver level. But having worked with both setups, using a middleware is a lot easier to setup.

Now, you might find doing it at webserver level more appropriate, that's a matter of personal preference.

Le 7 juil. 2012 11:26, "Timothy Makobu" <makobu.m...@gmail.com> a écrit :

I would think he would have areas that need to be logged in to all SSL. He already has the cert for SSL logins, and its prudent these days to have such apps all SSL, with tools making it straight forward to lift unencrypted traffic off a network.

On Sat, Jul 7, 2012 at 11:28 AM, Melvyn Sopacua <m.r.s...@gmail.com> wrote:

On 7-7-2012 10:27, Timothy Makobu wrote:
> " I want to know how to use HTTPS to securely login ..." which satisfies
> the first part of the question. This way it wont be possible to login
> without HTTPS enabled for the project.

What use is logging in if you're logged out the minute the connection
becomes unencrypted?

--
Melvyn Sopacua


--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django...@googlegroups.com.

To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django...@googlegroups.com.

To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.

[Thomas Orozco]

That's indeed a valid point, if you're going to deploy multiple services behind a webserver it does make sense to do it at webserver level as you'll avoid duplicating your efforts.

Now, using middleware that redirects to https does not have to be "a hack", andif django changes to the point  that your middleware breaks, there will probably be a lot of other issues :-)

To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/SLdmJ-KSqN8J.

To post to this group, send email to django...@googlegroups.com.

To unsubscribe from this group, send email to django-users...@googlegroups.com.

[lacry...@gmail.com]

Middleware is most certainly *not* hacks! They're an intended and perfectly documented hook point for any special behavior you'd like in your webservice that makes sense inserting at that particular point of the request processing

-----Mensaje original-----
De: Thomas Orozco
Enviados: 08/07/2012 16:29:53
Asunto: Re: how to use HTTPS with django

Correo truncado a 2,000 caracteres.
:::0:a38e127653db5308da9bff2680ff4c5c:7d0::::