I am trying to get session cookies set so they are only returned over ssl connections. I looked in AWDWR and see there is a parameter :session_secure. The book says ‘If true, sessions will be enabled only over https://’ The example code in that section of the book shows:
class ApplicationController < ActionController::Base session :session_key => ‘somekey_text’ end
So I tried setting session :session_secure => true in ApplicationController. No change.
I found this post http://www.rorsecurity.info/journal/2007/4/12/session-hijacking.html on session hijacking that suggested:
To instruct the browser only to send the cookie over encrypted HTTPS and never over normal HTTP, you have to include the following line in the confg/environment.rb file.
ActionController::Base.session_options[:session_secure] = true
I tried that (and yes, restarted my server) but no change. My Rails version is 2.3.5
I am trying to verify things by looking at the cookie information in the Firefox preferences pane. I have some cookies that report “Send For: Encrypted connections only” but no matter what I set in my rails app, that cookie says “Send For: Any type of connection”.
Don’t think it should matter, but I am testing with Apache2 proxying to Mongrel. My production hosting will be Apache + passenger.
This is driving me mad. Thanks in advance,