Le 3 févr. 2015 à 16:44, Jon Dufresne <[email protected]> a écrit : > > However some URLs are accessed by a unique URL > containing a nonce without a login. Login is not an option for these > URLs. Sharing this URL is considered very bad and I would like to > avoid it happening unintentionally.
You can fix that problem by saving some authentication info in the user's session, most likely with a custom auth backend — see django-sesame for an example of how to do this. Then redirect immediately to an URL that doesn't contain the nonce. Of course all this must happen over HTTPS to reduce the likelihood of leaving the nonce in the logs of various caches or reverse proxies. Another very simple option for fixing referers is to remove all external links from your website. I can't say if that's an acceptable constraint for you. Even then, you'll still leak the hostname because of DNS requests and possibly URLs e.g. in corporate environments that put their CA in their users' browsers and reverse proxy HTTPS connections... Depending on your goals, the answer may be Tor Browser. -- Aymeric. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/3D2ECCCA-65BD-44C1-AB4F-B9BED8278A2A%40polytechnique.org. For more options, visit https://groups.google.com/d/optout.
