Opened 15 years ago
Closed 13 years ago
#10629 closed Uncategorized (fixed)
allow login redirects to traverse a secure connection
| Reported by: | Ryan Kelly | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Design decision needed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
To protect user's login details in-transit, I like to have my login page submit over a secure connection, redirecting the user back to an unsecured connection once the login has been established. Something along the following lines:
- Unauthenticated user requests http://site/private/
- They're redirected to http://site/login/
- They submit their details securely to https://site/login/
- This establishes the login and redirects to http://site/private/
The standard contrib.auth views and decorators almost get me there, but they don't like switching protocols during the redirect. Attached is a simple patch that lets contrib.auth support the above workflow by doing two things:
- allowing the 'next' argument to auth.views.login to contain a full URL, as long as it points to the correct host and not a third-party site
- having the various auth decorators record the full URL when redirecting to the login page, rather than just the path information
I imagine that having logins traverse a secure connection like this would be fairly common practice, so it'd be great to see support for it in the core distribution.
Attachments (1)
Change History (3)
by , 15 years ago
| Attachment: | auth_redirect_ssl.diff added |
|---|
comment:1 by , 15 years ago
| Triage Stage: | Unreviewed → Design decision needed |
|---|
comment:2 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Severity: | → Normal |
| Status: | new → closed |
| Type: | → Uncategorized |
Note:
See TracTickets
for help on using tickets.
This was fixed and is in 1.3