How do I set session_id cookies securely on an http page?

I added

ActionController::Base.session_options[:secure] = true

to ~/config/environments/production.rb

and now my app sets a different session_id cookie on every request to a
non ssl page, making the session useless.

If my session_id cookie is set by a request to a https page, and I stay
on https pages, my session_id cookie persists and I can see my session
data.

If I navigate to an unencrypted page, my session_id gets reset and I
lose access to all my session data.

Is this how it's supposed to work? Is there a way to bounce back and
forth between http and https pages without resetting the session_id
cookie, and still only set the cookie securely.

Is there a way to only pass the session_id over ssl, but have the rest
of the page be unencrypted?

The session cookie is just a header in the http response - it can't be
sent separately. Moreover, setting :secure on the session doesn't
cause the session cookie to be sent to the browser any differently, it
tells the browser 'only send this cookie with requests if the
connection is secure'. If you want the session to persist across ssl
and non ssl loads then don't set the :secure option

Fred

The thing that is confusing me is that, I have the :secure
session_option set, but when I go to an insecure page the Set-Cookie
_session_id header is passed to me, and this appears to be replacing the
_session_id cookie I got when I was on the secure page.

Both secure and insecure pages are sending this header:

Set-Cookie: _session_id=c60ed753dca8d48c0c4cef57f048d4e9; path=/;
Secure; HttpOnly

I would be happy if I could get the insecure pages to stop sending the
Set-Cookie header. However since session are now "lazy loaded" I think
I'm supposed to find everything in the application (on the http pages)
that stores stuff in the session, and make it stop. This is inconvenient
because I use flash[:notice] a lot for error messaging.

Am I understanding this correctly?

Am I correct in thinking that my only options are to:

1. set sessions securely
2. use sessions in the insecure parts of my application

but I definitely can't have both?

Frederick Cheung wrote:

The thing that is confusing me is that, I have the :secure
session_option set, but when I go to an insecure page the Set-Cookie
_session_id header is passed to me, and this appears to be replacing the
_session_id cookie I got when I was on the secure page.

When you go to an insecure page, your browser doesn't send the
existing session cookie (because you've marked it as secure), so rails
creates a new session (when you first use it)

Am I understanding this correctly?

Am I correct in thinking that my only options are to:

1. set sessions securely
2. use sessions in the insecure parts of my application

but I definitely can't have both?

f you had separate subdomains (a secure and a non secure) then things
would just work (because the browser wouldn't try and use the same
cookies across both domains

Fred

I was talking with a friend, and he suggested I store my shopping cart
data in cookies, then I wouldn't need sessions until I got to the
checkout pages (where they are getting set securely). Do you have an
opinion on this, it seems easier than implementing sub domains to me.

Also, thank you so much for your insight, the magic of sessions is
becoming a lot clearer to me.

Frederick Cheung wrote: