Skye Weir-Mathews
2010-Jun-08 22:35 UTC
How do I set session_id cookies securely on an http page?
I added ActionController::Base.session_options[:secure] = true to ~/config/environments/production.rb and now my app sets a different session_id cookie on every request to a non ssl page, making the session useless. If my session_id cookie is set by a request to a https page, and I stay on https pages, my session_id cookie persists and I can see my session data. If I navigate to an unencrypted page, my session_id gets reset and I lose access to all my session data. Is this how it''s supposed to work? Is there a way to bounce back and forth between http and https pages without resetting the session_id cookie, and still only set the cookie securely. Is there a way to only pass the session_id over ssl, but have the rest of the page be unencrypted? -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Frederick Cheung
2010-Jun-09 08:32 UTC
Re: How do I set session_id cookies securely on an http page?
On Jun 8, 11:35 pm, Skye Weir-Mathews <li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> If my session_id cookie is set by a request to a https page, and I stay > on https pages, my session_id cookie persists and I can see my session > data. > > If I navigate to an unencrypted page, my session_id gets reset and I > lose access to all my session data. > > Is this how it''s supposed to work? Is there a way to bounce back and > forth between http and https pages without resetting the session_id > cookie, and still only set the cookie securely. > > Is there a way to only pass the session_id over ssl, but have the rest > of the page be unencrypted?The session cookie is just a header in the http response - it can''t be sent separately. Moreover, setting :secure on the session doesn''t cause the session cookie to be sent to the browser any differently, it tells the browser ''only send this cookie with requests if the connection is secure''. If you want the session to persist across ssl and non ssl loads then don''t set the :secure option Fred -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Skye Weir-Mathews
2010-Jun-10 01:21 UTC
Re: How do I set session_id cookies securely on an http page?
The thing that is confusing me is that, I have the :secure session_option set, but when I go to an insecure page the Set-Cookie _session_id header is passed to me, and this appears to be replacing the _session_id cookie I got when I was on the secure page. Both secure and insecure pages are sending this header: Set-Cookie: _session_id=c60ed753dca8d48c0c4cef57f048d4e9; path=/; Secure; HttpOnly I would be happy if I could get the insecure pages to stop sending the Set-Cookie header. However since session are now "lazy loaded" I think I''m supposed to find everything in the application (on the http pages) that stores stuff in the session, and make it stop. This is inconvenient because I use flash[:notice] a lot for error messaging. Am I understanding this correctly? Am I correct in thinking that my only options are to: 1. set sessions securely 2. use sessions in the insecure parts of my application but I definitely can''t have both? Frederick Cheung wrote:> On Jun 8, 11:35�pm, Skye Weir-Mathews <li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote: > >> >> Is there a way to only pass the session_id over ssl, but have the rest >> of the page be unencrypted? > > The session cookie is just a header in the http response - it can''t be > sent separately. Moreover, setting :secure on the session doesn''t > cause the session cookie to be sent to the browser any differently, it > tells the browser ''only send this cookie with requests if the > connection is secure''. If you want the session to persist across ssl > and non ssl loads then don''t set the :secure option > > Fred-- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Frederick Cheung
2010-Jun-10 09:36 UTC
Re: How do I set session_id cookies securely on an http page?
On Jun 10, 2:21 am, Skye Weir-Mathews <li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> The thing that is confusing me is that, I have the :secure > session_option set, but when I go to an insecure page the Set-Cookie > _session_id header is passed to me, and this appears to be replacing the > _session_id cookie I got when I was on the secure page. >When you go to an insecure page, your browser doesn''t send the existing session cookie (because you''ve marked it as secure), so rails creates a new session (when you first use it)> Am I understanding this correctly? > > Am I correct in thinking that my only options are to: > > 1. set sessions securely > 2. use sessions in the insecure parts of my application > > but I definitely can''t have both?f you had separate subdomains (a secure and a non secure) then things would just work (because the browser wouldn''t try and use the same cookies across both domains Fred> > Frederick Cheung wrote: > > On Jun 8, 11:35 pm, Skye Weir-Mathews <li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote: > > >> Is there a way to only pass the session_id over ssl, but have the rest > >> of the page be unencrypted? > > > The session cookie is just a header in the http response - it can''t be > > sent separately. Moreover, setting :secure on the session doesn''t > > cause the session cookie to be sent to the browser any differently, it > > tells the browser ''only send this cookie with requests if the > > connection is secure''. If you want the session to persist across ssl > > and non ssl loads then don''t set the :secure option > > > Fred > > -- > Posted viahttp://www.ruby-forum.com/.-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Skye Weir-Mathews
2010-Jun-11 22:36 UTC
Re: How do I set session_id cookies securely on an http page?
I was talking with a friend, and he suggested I store my shopping cart data in cookies, then I wouldn''t need sessions until I got to the checkout pages (where they are getting set securely). Do you have an opinion on this, it seems easier than implementing sub domains to me. Also, thank you so much for your insight, the magic of sessions is becoming a lot clearer to me. Frederick Cheung wrote:> On Jun 10, 2:21�am, Skye Weir-Mathews <li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote: >> The thing that is confusing me is that, I have the :secure >> session_option set, but when I go to an insecure page the Set-Cookie >> _session_id header is passed to me, and this appears to be replacing the >> _session_id cookie I got when I was on the secure page. >> > > When you go to an insecure page, your browser doesn''t send the > existing session cookie (because you''ve marked it as secure), so rails > creates a new session (when you first use it) > >> Am I understanding this correctly? >> >> Am I correct in thinking that my only options are to: >> >> 1. set sessions securely >> 2. use sessions in the insecure parts of my application >> >> but I definitely can''t have both? > > f you had separate subdomains (a secure and a non secure) then things > would just work (because the browser wouldn''t try and use the same > cookies across both domains > > Fred-- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.