Does session_secure work?

I am trying to get session cookies set so they are only returned over ssl connections. I looked in AWDWR and see there is a parameter :session_secure. The book says ‘If true, sessions will be enabled only over https://’ The example code in that section of the book shows:

class ApplicationController < ActionController::Base
session :session_key => ‘somekey_text’
end

So I tried setting
session :session_secure => true in ApplicationController. No change.

I found this post http://www.rorsecurity.info/journal/2007/4/12/session-hijacking.html on session hijacking that suggested:

To instruct the browser only to send the cookie over encrypted HTTPS and never over normal HTTP, you have to include the following line in the confg/environment.rb file.

ActionController::Base.session_options[:session_secure] = true

I tried that (and yes, restarted my server) but no change. My Rails version is 2.3.5

I am trying to verify things by looking at the cookie information in the Firefox preferences pane. I have some cookies that report “Send For: Encrypted connections only” but no matter what I set in my rails app, that cookie says “Send For: Any type of connection”.

Don’t think it should matter, but I am testing with Apache2 proxying to Mongrel. My production hosting will be Apache + passenger.

This is driving me mad. Thanks in advance,

The names of the session options changed in 2.3. Try just :secure
instead

Fred

The names of the session options changed in 2.3. Try just :secure

instead

Thank you Fred. That was just the ticket! In config/environment.rb:

ActionController::Base.session_options[:secure] = true

I tried
ActionController::Base.session_options[:secure] = true
and the session cookie is not set at all. If I set it to false
everything works fine but if it's true the server never sets the cookie
even if the request is over https (although my understanding is that it
should set it anyway)