I am trying to get session cookies set so they are only returned over
ssl
connections. I looked in AWDWR and see there is a parameter
:session_secure.
The book says ‘If true, sessions will be enabled only over https://’ The
example code in that section of the book shows:
class ApplicationController < ActionController::Base
session :session_key => ‘somekey_text’
end
So I tried setting
session :session_secure => true in ApplicationController. No change.
I found this post
Session hijacking - Ruby on Rails Security Project on
session hijacking that suggested:
To instruct the browser only to send the cookie over encrypted HTTPS and
never over normal HTTP, you have to include the following line in the
confg/environment.rb file.
ActionController::Base.session_options[:session_secure] = true
*
*I tried that (and yes, restarted my server) but no change. My Rails
version
is 2.3.5
I am trying to verify things by looking at the cookie information in the
Firefox preferences pane. I have some cookies that report “Send For:
Encrypted connections only” but no matter what I set in my rails app,
that
cookie says “Send For: Any type of connection”.
Don’t think it should matter, but I am testing with Apache2 proxying to
Mongrel. My production hosting will be Apache + passenger.
This is driving me mad. Thanks in advance,
–
Cynthia K.
[email protected]