Login pages should be served using SSL in order to protect against phishing attacks. SSL guarantees to the user that they are connected to the site in question.
Put the following code in your application.cfc file:
<cfif trim(cgi.https) eq "off"> <cflocation url="https://#cgi.server_name##cgi.script_name#" addtoken="no"> </cfif>
Sometimes user authentication (and thus the login page) is already handled for you when on a server configured to use the university's authentication portal page (e.g. UT Direct or servers using the mod_eid Apache module).
Django's request object (HttpRequest) has a method named is_secure()
that will tell you if the request came over SSL or not. If request.is_secure()
is False, you could redirect to the same location, but using https. You must take care with is_secure()
, though. For example, if there is a proxy or load balancer in front of your web server(s), it is possible that the proxy is handling requests over SSL connections, but then forwarding those requests over non-SSL connections to the server running Django. In this case,is_secure()
would evaluate to False, even though the request did come in over SSL.
If you have access to your web server's configuration, you could put the https check and redirect logic in the server's config instead of in your Django code.
If you are building a web application, force the use of HTTPS for a specified resource using a <security-constraint> section in the web.xml file.
<security-constraint> .... <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>Caveat: Don't do this if SSL is terminated in front of your server by a device such as a load balancer, SSL accelerator, or application firewall.
If you are building a web application, force the use of HTTPS for a specified resource using a section in the web.xml file.
<security-constraint> .... <user-data-constraint> <transport-guarantee>CONFIDENTIAL </user-data-constraint> </security-constraint>Caveat: Don't do this if SSL is terminated in front of your server by a device such as a load balancer, SSL accelerator, or application firewall.