Hi all,
I’m having a problem and I don’t even know it it is fixable, let along
how to
fix it.
I have a section of my site which redirects to an HTTPS connection to a
different subdomain, so that users can safely make a payment. The
redirection
works fine, and the payment process runs as expected, but when the user
returns
to an http:// connection they are logged out. It seems that the session
cookie
isn’t being sent.
The situation is like this:
protocol: HTTP -> HTTPS -> HTTP
session: OLD -> OLD -> NEW
Now, I have my cookies set up to persist across subdomains, and that
works
across the rest of the site, however as I say on returning from an https
connection, no cookie is sent by the browser and therefore a new session
is
created.
Is there some way I can set up cookies to persist across HTTPS and
back?
What’s surprising is that there’s no problem with the switch TO HTTPS
Thanks,
Gareth
Gareth A. wrote:
isn’t being sent.
Is there some way I can set up cookies to persist across HTTPS and back?
What’s surprising is that there’s no problem with the switch TO HTTPS
I have a similar setup but am not seeing this problem. How are you
redirecting
from HTTPS to HTTP? Are you forcing HTTP using mod_rewrite?
Long
Hi Gareth -
Try this:
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(
:session_domain => ‘.example.com’)
It will maintain your session across anything with ‘.example.com’ .
Cheers
Starr
Starr wrote:
Hi Gareth -
Try this:
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(
:session_domain => ‘.example.com’)
It will maintain your session across anything with ‘.example.com’ .
I will add that I’d place the code-snippet in environment.rb (there may
be other suitable
locations) and only enable for ‘production’. If you enable in
development (WEBrick)
you will quickly find sessions unusable.
Long
Starr wrote:
That’s a good heads up, Long. - Thanks
You’re welcome. The issue might come up later so I’d though I should
mention it.
Cheers,
Long
One more thing - looking at the rails wikki, it seems as if some people
can’t get it to work without omitting the ‘.’ from the domain name.
That’s a good heads up, Long. - Thanks
Starr