On Jun 10, 2:21 am, Skye Weir-Mathews <[email protected]> wrote: > The thing that is confusing me is that, I have the :secure > session_option set, but when I go to an insecure page the Set-Cookie > _session_id header is passed to me, and this appears to be replacing the > _session_id cookie I got when I was on the secure page. >
When you go to an insecure page, your browser doesn't send the existing session cookie (because you've marked it as secure), so rails creates a new session (when you first use it) > Am I understanding this correctly? > > Am I correct in thinking that my only options are to: > > 1. set sessions securely > 2. use sessions in the insecure parts of my application > > but I definitely can't have both? f you had separate subdomains (a secure and a non secure) then things would just work (because the browser wouldn't try and use the same cookies across both domains Fred > > Frederick Cheung wrote: > > On Jun 8, 11:35 pm, Skye Weir-Mathews <[email protected]> wrote: > > >> Is there a way to only pass the session_id over ssl, but have the rest > >> of the page be unencrypted? > > > The session cookie is just a header in the http response - it can't be > > sent separately. Moreover, setting :secure on the session doesn't > > cause the session cookie to be sent to the browser any differently, it > > tells the browser 'only send this cookie with requests if the > > connection is secure'. If you want the session to persist across ssl > > and non ssl loads then don't set the :secure option > > > Fred > > -- > Posted viahttp://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
