On Wed, Jun 30, 2010 at 12:16 PM, Luke Plant <l.plant...@cantab.net> wrote: > With Django's sessions and login method, you *do* have a session on the > login page itself i.e. before the actual login step. So you need to > worry about session fixation etc. Even if not, and you are using your > own login method, there is still "login CSRF" to worry about [1]. > > Without the check for a HTTPS referer, you are wide open to a MITM > attacker doing CSRF on your HTTPS connections. The check isn't "erring > on the side of caution" — that was what I *previously* thought it was, > having not thought through the possible attacks, but in fact it is > *absolutely essential*. Without it, you should consider your site as > having the same level of protection as an HTTP site. > > Yes, there are still some benefits to HTTPS (passwords not sent in > plaintext), but you certainly don't have the kind of protection that > would be expected in HTTPS, and in the general case you might find that > all benefits are destroyed by what a successful attacker might be able > to achieve (setting passwords etc.) unless you are extremely careful and > have closed every possible loophole. For these reasons, changing this > behaviour — or even allowing it as an option — would be craziness for a > general purpose framework. An option is a bad idea in general, because > it is global — and we certainly do *not* want this hole punched in the > admin site. > > If you can really live with the security holes you want to make, that is > absolutely up to you. You can write your own middleware, and ensure its > suitability for your needs. But I cannot see an argument for supporting > this as an option out of the box.
Fair enough. If the situation is potentially really this dire, as you've convinced me that it is, then leaving it alone is the way to go. Thanks again for your time. Paul -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
