4

Here is a short description of the website I am working on:

  • Public pages can be accessed via HTTP or HTTPS indifferently.

  • Some other pages (authentication page, account details page, etc) require to be accessed by HTTPS. Apache2 takes care of making the relevant HTTP to HTTPS link redirections.

  • I use the standard Django authentication system with 'django.contrib.sessions' added to the INSTALLED_APPS in settings.py.

  • Following recommendations in the Django doc, I have set SESSION_COOKIE_SECURE to True in settings.py.

  • On all pages, I display on the top a little box that either displays a link to login (if the user is not authenticated), or a link to the account page saying "Welcome, [Your Name]".

My problem is the following: If a user authenticates and goes later to a public page by using an HTTP link, the session cookie will not be transmitted to the server (because SESSION_COOKIE_SECURE = True). That will cause the box on the top of the page to display a login link rather than "Welcome, [Your Name]".

How can I display the "Welcome, [Your Name]" on public pages for authenticated users, even if they use HTTP? Of course, I would like to keep the access to the sensitive pages safe, and I should therefore keep SESSION_COOKIE_SECURE = True to avoid possible stealing of the session token.

Kevin Christopher Henry
  • 46,175
  • 7
  • 116
  • 102
mimo
  • 2,469
  • 2
  • 28
  • 49

1 Answers1

4

You cannot both secure the session cookie with SESSION_COOKIE_SECURE and allow full access to the session over HTTP. If there is a subset of the session information (such as the user's name) that you don't mind exposing over HTTP, it's possible to create an additional, non-secure cookie to allow access to that from your public pages. That idea is discussed in this question.

As you see in that discussion (see here as well), most security-conscious developers encourage using HTTPS at all times. That will be the simplest and most secure route, and nowadays does not incur much extra cost.

If you decide to stick with allowing HTTP access, be sure to make use of the other security measures that Django exposes (e.g. SESSION_COOKIE_HTTPONLY and CSRF settings).

Community
  • 1
  • 1
Kevin Christopher Henry
  • 46,175
  • 7
  • 116
  • 102
  • The two questions you mention convinced me. Full HTTPS use does not really increase the load of the server nowadays. – mimo Aug 26 '14 at 20:24
  • Still, it is possible to achieve what my question asks by using a secure cookie plus another unsecure cookie that could simply contain "Your Name" (which I don't care if it is tampered). However, implementing this is quite complex to achieve, especially as this "Your Name" is only one of the multiple elements I would like to be able to retrieve by HTTP; that's why I asked. – mimo Aug 26 '14 at 20:33
  • @Tony: It all depends on what you want to include on your "public pages". If there's nothing there that you don't mind an attacker seeing, then the double cookie technique could work. There may be a use case for it, though I agree with the consensus that just using HTTPS is almost always going to be the better solution. That said, I'll update the answer to acknowledge that possibility. – Kevin Christopher Henry Aug 26 '14 at 21:06