I am trying to get session cookies set so they are only returned over ssl connections. I looked in AWDWR and see there is a parameter :session_secure. The book says ''If true, sessions will be enabled only over https://'' The example code in that section of the book shows: class ApplicationController < ActionController::Base session :session_key => ''somekey_text'' end So I tried setting session :session_secure => true in ApplicationController. No change. I found this post http://www.rorsecurity.info/journal/2007/4/12/session-hijacking.html on session hijacking that suggested: To instruct the browser only to send the cookie over encrypted HTTPS and never over normal HTTP, you have to include the following line in the confg/environment.rb file. ActionController::Base.session_options[:session_secure] = true * *I tried that (and yes, restarted my server) but no change. My Rails version is 2.3.5 I am trying to verify things by looking at the cookie information in the Firefox preferences pane. I have some cookies that report "Send For: Encrypted connections only" but no matter what I set in my rails app, that cookie says "Send For: Any type of connection". Don''t think it should matter, but I am testing with Apache2 proxying to Mongrel. My production hosting will be Apache + passenger. This is driving me mad. Thanks in advance, -- Cynthia Kiser cynthia.kiser-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Feb 3, 2:08 am, Cynthia Kiser <cynthia.ki...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > ActionController::Base.session_options[:session_secure] = true > * > *I tried that (and yes, restarted my server) but no change. My Rails version > is 2.3.5The names of the session options changed in 2.3. Try just :secure instead Fred -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
> The names of the session options changed in 2.3. Try just :secure > instead >Thank you Fred. That was just the ticket! In config/environment.rb: ActionController::Base.session_options[:secure] = true -- Cynthia Kiser cynthia.kiser-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
I tried ActionController::Base.session_options[:secure] = true and the session cookie is not set at all. If I set it to false everything works fine but if it''s true the server never sets the cookie even if the request is over https (although my understanding is that it should set it anyway) -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.