Good point on the psycho part. And my mistake, I saw a page once where the inline from submit was just SSL and I was thinking about that.
The answer partially rests on your webserver, because Django itself (as far as I know) doesn't distinct between the two. An approach could be to have your webserver in front of the app rewriting/redirecting the /login /logout (as an example) requests to https. And leaving the 'after login redirect' after logging in alone, and thus being back on regular http. Regards, Gerard. Jani Tiainen wrote: > Technically yes. > > From psychological point you need to provide SSL for login screen > already so end user gets visual feedback that he's in secure transaction > and certificate is validated. > > So yes, it should be "secure login" page, that forwards user back to > nonsecure pages after login is successful. > > Gerard kirjoitti: >> I think that technically only your form submit should be posted to a SSL >> based url and the rest doesn't have to. Which shouldn't be so hard. Just >> setup the 'post to' url in the template (under: form action="" ) or define >> in the view method where the form is initiated just before rendering. >> >> Thing I'm wondering about though, when the user/password combi is incorrect >> the most secure way would be to simply send the empty form back in the >> resulting page, because otherwise a username might be sent back to the >> client outside the SSL connect. >> >> Haven't looked for it yet, but I do want to implement that myself. Lets post >> if we find anything :) >> >> Regards, >> >> Gerard. >> >> >> >> Jani Tiainen wrote: >>> I'm trying to get Django to make authentication (namely username + >>> password) to be transferred over HTTPS. But rest of the site is still on >>> plain old HTTP. >>> >>> How this can be done? I've very little success and google didn't gave >>> much of help either. >>> >>> I'm using Apache 2.2 with mod_wsgi and I've total control over my >>> webserver config. >>> >> > > -- self.url = www.gerardjp.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
