I’m trying to set the session cookie secure flag to true. I added the
following to my environments/production.rb
ActionController::Base.session_options[:secure] = true
In the production mode I don’t see the set-cookie header in the server
response (I’m using the Tamper Data Firefox tool to view the traffic). I
tried removing all cookies, manually setting the domain including the
child domain(since domain is shared among many applications, the appache
server forwards the requests to the right application and thus the
request is always received by the application server as if it’s coming
from localhost). I also tried to test it in development mode, I assume
the server should at least set the cookie even if the request is over
http but the browser won’t send the cookie over http but again the
server does not send the set-cookie header. Everything works just fine
if I remove that line that sets secure to true. I’m still in Rails
2.3.8. Am I missing something
here?