Sessions and HTTPS

Gareth_Adams · October 13, 2006, 8:36am

Hi all,

I'm having a problem and I don't even know it it *is* fixable, let along how to fix it.

I have a section of my site which redirects to an HTTPS connection to a different subdomain, so that users can safely make a payment. The redirection works fine, and the payment process runs as expected, but when the user returns to an http:// connection they are logged out. It seems that the session cookie isn't being sent.

The situation is like this:

protocol: HTTP -> HTTPS -> HTTP session: OLD -> OLD -> NEW

Now, I have my cookies set up to persist across subdomains, and that works across the rest of the site, however as I say on returning from an https connection, no cookie is sent by the browser and therefore a new session is created.

Is there some way I can set up cookies to persist across HTTPS *and back*? What's surprising is that there's no problem with the switch *TO* HTTPS

Thanks, Gareth

Long · October 13, 2006, 2:54pm

Gareth Adams wrote:

Hi all,

I'm having a problem and I don't even know it it *is* fixable, let along how to fix it.

I have a section of my site which redirects to an HTTPS connection to a different subdomain, so that users can safely make a payment. The redirection works fine, and the payment process runs as expected, but when the user returns to an http:// connection they are logged out. It seems that the session cookie isn't being sent.

The situation is like this:

protocol: HTTP -> HTTPS -> HTTP session: OLD -> OLD -> NEW

Now, I have my cookies set up to persist across subdomains, and that works across the rest of the site, however as I say on returning from an https connection, no cookie is sent by the browser and therefore a new session is created.

Is there some way I can set up cookies to persist across HTTPS *and back*? What's surprising is that there's no problem with the switch *TO* HTTPS

I have a similar setup but am not seeing this problem. How are you redirecting from HTTPS to HTTP? Are you forcing HTTP using mod_rewrite?

Long

Starr · October 13, 2006, 4:19pm

Hi Gareth -

Try this: ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update( :session_domain => '.example.com')

It will maintain your session across anything with '.example.com' .

Cheers Starr

Starr · October 13, 2006, 4:21pm

One more thing - looking at the rails wikki, it seems as if some people can't get it to work without omitting the '.' from the domain name.

Long · October 13, 2006, 4:58pm

Starr wrote:

Hi Gareth -

Try this: ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update( :session_domain => '.example.com')

It will maintain your session across anything with '.example.com' .

I will add that I'd place the code-snippet in environment.rb (there may be other suitable locations) and only enable for 'production'. If you enable in development (WEBrick) you will quickly find sessions unusable.

Long

Starr · October 16, 2006, 8:29pm

That's a good heads up, Long. - Thanks

Starr

Long · October 17, 2006, 1:45am

Starr wrote:

That's a good heads up, Long. - Thanks

You're welcome. The issue might come up later so I'd though I should mention it.

Cheers,

Long