Posting from HTTP to HTTPS on same domain results in CSRF failure
105 views
Skip to first unread message
Kevin
Oct 31, 2012, 4:21:33 AM10/31/12
to django...@googlegroups.com
Hello everyone,
I am in the process of deploying a Django app which works both on HTTP and HTTPS connections, and require that some specific forms only submit via HTTPS. I want the transition process over to HTTPS to be seamless for the end-user. I am implementing this on a site-wide login form.
Are there any workarounds for this or any middleware I can create to allow same domain HTTP to HTTPS transition without worrying about CSRF tokens being declined? To ensure it wasn't a stale cookie issue, I just cleared my cookies before posting this.
The csrf cookie is allowed for any connection, according to Firefox's cookie viewer, so shouldn't this mean that the cookie will be accepted over HTTPS?
Thanks in advance.
Django version is 1.4 branch.
I am in the process of deploying a Django app which works both on HTTP and HTTPS connections, and require that some specific forms only submit via HTTPS. I want the transition process over to HTTPS to be seamless for the end-user. I am implementing this on a site-wide login form.
Are there any workarounds for this or any middleware I can create to allow same domain HTTP to HTTPS transition without worrying about CSRF tokens being declined? To ensure it wasn't a stale cookie issue, I just cleared my cookies before posting this.
The csrf cookie is allowed for any connection, according to Firefox's cookie viewer, so shouldn't this mean that the cookie will be accepted over HTTPS?
Thanks in advance.
Django version is 1.4 branch.
Mike Dewhirst
Oct 31, 2012, 7:23:13 AM10/31/12
to django...@googlegroups.com
Ought to solve the problem. And my understanding is that https
everywhere is a reasonable approach nowadays.
>
> Thanks in advance.
>
> Django version is 1.4 branch.
>
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/django-users/-/AR9a9jddb_QJ.
> To post to this group, send email to django...@googlegroups.com.
> To unsubscribe from this group, send email to
> django-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-users?hl=en.
Kevin Veroneau
Oct 31, 2012, 9:40:47 AM10/31/12
to django...@googlegroups.com
I did this approach before and it seems to break Google Search results. :( I do want users to use the site and find me easily after all.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
jirka.v...@gmail.com
Oct 31, 2012, 10:18:03 AM10/31/12
to django...@googlegroups.com
Hi there,
I'm sorry I don't have a solution for you. However I have a warning/recommendation.
Even if you don't serve the full site over https, you should make sure that forms that submit data over HTTPS are served over HTTPS. Otherwise you make it difficult for users to verify that their data (credentials etc.) will be submitted over a secure channel (and to verify certs prior to submitting form data etc.)
On the plus side, if you serve forms over HTTPS (not only submit responses), it'll automatically solve your CSRF token problem.
HTH
Jirka
I'm sorry I don't have a solution for you. However I have a warning/recommendation.
Even if you don't serve the full site over https, you should make sure that forms that submit data over HTTPS are served over HTTPS. Otherwise you make it difficult for users to verify that their data (credentials etc.) will be submitted over a secure channel (and to verify certs prior to submitting form data etc.)
On the plus side, if you serve forms over HTTPS (not only submit responses), it'll automatically solve your CSRF token problem.
HTH
Jirka
From: Kevin <kver...@gmail.com>
Sender: django...@googlegroups.com
Date: Wed, 31 Oct 2012 01:21:33 -0700 (PDT)
ReplyTo: django...@googlegroups.com
Subject: Posting from HTTP to HTTPS on same domain results in CSRF failure
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/AR9a9jddb_QJ.
To post to this group, send email to django...@googlegroups.com.
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/AR9a9jddb_QJ.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
kahara
Oct 31, 2012, 11:08:13 AM10/31/12
to django...@googlegroups.com
Perhaps this could be fixed by simply redirecting all HTTP requests to HTTPS? Also, if you're using Analytics and your visitor comes in from an encrypted (Google) search page, then your Analytics will fail as the referer header will not contain search terms if the search hit is non-HTTPS.
Joni
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
Kevin Veroneau
Oct 31, 2012, 12:36:09 PM10/31/12
to django...@googlegroups.com
I am using analytics. Hmm. I hoped that there was a django setting I may have missed somewhere. I'll tackle it in a few hours and post my findings and/or solution to help others with a similar issue. If there are any other suggestions as well I'm open to more ideas.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/Omd3okIZKIwJ.
David Fischer
Oct 31, 2012, 2:03:28 PM10/31/12
to django...@googlegroups.com
Django does strict referrer checking[1] which includes checking the scheme (HTTP vs. HTTPS). Like the others, I suggest you serve the whole site over HTTPS and forward HTTP traffic to the appropriate HTTPS URLs.
-David
Reply all
Reply to author
Forward
0 new messages