问题描述
以下是我正在处理的网站的简短说明:
Here is a short description of the website I am working on:
-
可以通过HTTP或HTTPS访问公共页面无差别地。
Public pages can be accessed via HTTP or HTTPS indifferently.
需要通过HTTPS访问其他一些页面(身份验证页面,帐户详细信息页面等)。 Apache2负责制作相关的HTTP到HTTPS链接重定向。
Some other pages (authentication page, account details page, etc) require to be accessed by HTTPS. Apache2 takes care of making the relevant HTTP to HTTPS link redirections.
我使用带有'django.contrib的标准Django身份验证系统。会话'已添加到 settings.py 中的 INSTALLED_APPS 。
I use the standard Django authentication system with 'django.contrib.sessions' added to the INSTALLED_APPS in settings.py.
遵循,我在 settings.py SESSION_COOKIE_SECURE 设置为 True / code>。
Following recommendations in the Django doc, I have set SESSION_COOKIE_SECURE to True in settings.py.
在所有页面上,我在顶部显示一个小框,显示登录链接(如果用户不是经过身份验证的),或指向欢迎,[您的姓名]的帐户页面的链接。
On all pages, I display on the top a little box that either displays a link to login (if the user is not authenticated), or a link to the account page saying "Welcome, [Your Name]".
我的问题是以下内容:如果用户通过HTTP链接进行身份验证并稍后转到公共页面,则会话cookie将不会传输到服务器(因为 SESSION_COOKIE_SECURE = True )。这将导致页面顶部的框显示登录链接而不是欢迎,[您的姓名]。
My problem is the following: If a user authenticates and goes later to a public page by using an HTTP link, the session cookie will not be transmitted to the server (because SESSION_COOKIE_SECURE = True). That will cause the box on the top of the page to display a login link rather than "Welcome, [Your Name]".
如何显示欢迎, [您的姓名]在经过身份验证的用户的公共页面上,即使他们使用HTTP?当然,我希望保持对敏感页面的访问安全,因此我应该保持 SESSION_COOKIE_SECURE = True ,以避免可能窃取会话令牌。
How can I display the "Welcome, [Your Name]" on public pages for authenticated users, even if they use HTTP? Of course, I would like to keep the access to the sensitive pages safe, and I should therefore keep SESSION_COOKIE_SECURE = True to avoid possible stealing of the session token.
推荐答案
您不能同时使用 SESSION_COOKIE_SECURE 保护会话cookie,并允许完全访问会话通过HTTP。如果您不介意通过HTTP公开会话信息的子集(例如用户名),则可以创建一个额外的非安全cookie,以允许从公共页面访问该cookie。 讨论了这个想法。
You cannot both secure the session cookie with SESSION_COOKIE_SECURE and allow full access to the session over HTTP. If there is a subset of the session information (such as the user's name) that you don't mind exposing over HTTP, it's possible to create an additional, non-secure cookie to allow access to that from your public pages. That idea is discussed in this question.
正如你在讨论中看到的那样(参见也是如此),大多数注重安全性的开发人员始终鼓励使用HTTPS。这将是最简单和最安全的路线,现在不会产生太多额外费用。
As you see in that discussion (see here as well), most security-conscious developers encourage using HTTPS at all times. That will be the simplest and most secure route, and nowadays does not incur much extra cost.
如果您决定坚持允许HTTP访问,请务必使用Django公开的其他安全措施(例如和CSRF设置)。
If you decide to stick with allowing HTTP access, be sure to make use of the other security measures that Django exposes (e.g. SESSION_COOKIE_HTTPONLY and CSRF settings).
这篇关于当SESSION_COOKIE_SECURE = True时,如何在HTTP中获取一些用户身份信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!