Code

Opened 5 years ago

Closed 3 years ago

#10629 closed Uncategorized (fixed)

allow login redirects to traverse a secure connection

Reported by: rfk Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

To protect user's login details in-transit, I like to have my login page submit over a secure connection, redirecting the user back to an unsecured connection once the login has been established. Something along the following lines:

  1. Unauthenticated user requests http://site/private/
  2. They're redirected to http://site/login/
  3. They submit their details securely to https://site/login/
  4. This establishes the login and redirects to http://site/private/

The standard contrib.auth views and decorators almost get me there, but they don't like switching protocols during the redirect. Attached is a simple patch that lets contrib.auth support the above workflow by doing two things:

  • allowing the 'next' argument to auth.views.login to contain a full URL, as long as it points to the correct host and not a third-party site
  • having the various auth decorators record the full URL when redirecting to the login page, rather than just the path information

I imagine that having logins traverse a secure connection like this would be fairly common practice, so it'd be great to see support for it in the core distribution.

Attachments (1)

auth_redirect_ssl.diff (1.9 KB) - added by rfk 5 years ago.

Download all attachments as: .zip

Change History (3)

Changed 5 years ago by rfk

comment:1 Changed 5 years ago by jacob

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Design decision needed

comment:2 Changed 3 years ago by SmileyChris

  • Resolution set to fixed
  • Severity set to Normal
  • Status changed from new to closed
  • Type set to Uncategorized

This was fixed and is in 1.3

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.