Opened 9 years ago

Closed 7 years ago

#10629 closed Uncategorized (fixed)

allow login redirects to traverse a secure connection

Reported by: Ryan Kelly Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


To protect user's login details in-transit, I like to have my login page submit over a secure connection, redirecting the user back to an unsecured connection once the login has been established. Something along the following lines:

  1. Unauthenticated user requests http://site/private/
  2. They're redirected to http://site/login/
  3. They submit their details securely to https://site/login/
  4. This establishes the login and redirects to http://site/private/

The standard contrib.auth views and decorators almost get me there, but they don't like switching protocols during the redirect. Attached is a simple patch that lets contrib.auth support the above workflow by doing two things:

  • allowing the 'next' argument to auth.views.login to contain a full URL, as long as it points to the correct host and not a third-party site
  • having the various auth decorators record the full URL when redirecting to the login page, rather than just the path information

I imagine that having logins traverse a secure connection like this would be fairly common practice, so it'd be great to see support for it in the core distribution.

Attachments (1)

auth_redirect_ssl.diff (1.9 KB) - added by Ryan Kelly 9 years ago.

Download all attachments as: .zip

Change History (3)

Changed 9 years ago by Ryan Kelly

Attachment: auth_redirect_ssl.diff added

comment:1 Changed 9 years ago by Jacob

Triage Stage: UnreviewedDesign decision needed

comment:2 Changed 7 years ago by Chris Beaven

Resolution: fixed
Severity: Normal
Status: newclosed
Type: Uncategorized

This was fixed and is in 1.3

Note: See TracTickets for help on using tickets.
Back to Top