通过HTTPS创建的会话数据(身份验证等)在HTTP部分中不可用该网站。
什么是使其可用的最佳方法,而不必使整个网站HTTPS?
解决方案这是设计而不是你可以随便改变的东西。
请记住,此未经身份验证的Cookie以明文形式发送电线,打开您的用户欺骗和重播攻击。这可能与您的申请无关。
I'm using Django 1.1.1 with the ssl redirect middleware.
Sessions data (authentication etc.) created via HTTPS are not available in the HTTP portions of the site.
What is the best way to make it available without having to make the entire site HTTPS?
解决方案This is by design, and not something you can readily change.
Cookies/authentication sent via HTTPS are not sent by the browser when the same site is viewed via HTTP. Your best solution is probably to redirect the user from a HTTPS page to a HTTP page that sets your authentication cookie.
Keep in mind that this unauthenticated cookie, sent in plaintext over the wire, opens your users to spoofing and replay attacks. This may not matter for your application.
更多推荐
Django HTTPS和HTTP会话
发布评论