This is actually a fairly large security hole unless you are carefully
controlling when the auth cookies are being passed to avoid sending those
cookies in the clear. Also the performance on https these days shouldn't be
an issue, more and more sites are moving to pure-https.
Regardless, the pregenerator on a route exists for this reason, although
it's fairly verbose. Basically you can create a pregenerator for a route
that modifies the _app_url property to be what you want when generating a
URL for that route.
def http_only(request, elements, kw):
kw['_app_url'] = 'http://' + request.host + request.script_name
return elements, kw
config.add_route('public', '/public', pregenerator=http_only)
request.route_url('public') -> http always
--
Michael
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
