Hi,
I would like to force https before login and after authentication for all
the site. I would like also to force http (if there is any direct https
request) for the fact that the visitor is not authenticated and is not
requesting to do so.
By definition, auth's secure=True parameter seems to be what I want but it
forces https as soon as the visitor accesses the site. I checked the code
and it seems to be the intended behaviour if I am not mistaken (Have I
been?).
Just to see how it goes, in my model, right after auth is defined, I added
the below code.
if request.function=='user' or auth.user:
request.requires_https()
elif request.is_https:
redirect(URL(scheme='http', vars=request.vars, args=request.args))
This seems to do what I want (it protects the session too. If the user
navigates by typing an http address of the site, it looses the
authentication status as the browser does not send the secured session thru
http connection). I would appreciate any other idea or proposal.
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
