The thing that is confusing me is that, I have the :secure session_option set, but when I go to an insecure page the Set-Cookie _session_id header is passed to me, and this appears to be replacing the _session_id cookie I got when I was on the secure page.
Both secure and insecure pages are sending this header: Set-Cookie: _session_id=c60ed753dca8d48c0c4cef57f048d4e9; path=/; Secure; HttpOnly I would be happy if I could get the insecure pages to stop sending the Set-Cookie header. However since session are now "lazy loaded" I think I'm supposed to find everything in the application (on the http pages) that stores stuff in the session, and make it stop. This is inconvenient because I use flash[:notice] a lot for error messaging. Am I understanding this correctly? Am I correct in thinking that my only options are to: 1. set sessions securely 2. use sessions in the insecure parts of my application but I definitely can't have both? Frederick Cheung wrote: > On Jun 8, 11:35�pm, Skye Weir-Mathews <[email protected]> wrote: > >> >> Is there a way to only pass the session_id over ssl, but have the rest >> of the page be unencrypted? > > The session cookie is just a header in the http response - it can't be > sent separately. Moreover, setting :secure on the session doesn't > cause the session cookie to be sent to the browser any differently, it > tells the browser 'only send this cookie with requests if the > connection is secure'. If you want the session to persist across ssl > and non ssl loads then don't set the :secure option > > Fred -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
