views:

138

answers:

1

Hi,

I'm using Django 1.1.1 with the ssl redirect middleware.

Sessions data (authentication etc.) created via HTTPS are not available in the HTTP portions of the site.

What is the best way to make it available without having to make the entire site HTTPS?

+2  A: 

This is by design, and not something you can readily change.

Cookies/authentication sent via HTTPS are not sent by the browser when the same site is viewed via HTTP. Your best solution is probably to redirect the user from a HTTPS page to a HTTP page that sets your authentication cookie.

Keep in mind that this unauthenticated cookie, sent in plaintext over the wire, opens your users to spoofing and replay attacks. This may not matter for your application.

Paul McMillan