I added ActionController::Base.session_options[:secure] = true
to ~/config/environments/production.rb and now my app sets a different session_id cookie on every request to a non ssl page, making the session useless. If my session_id cookie is set by a request to a https page, and I stay on https pages, my session_id cookie persists and I can see my session data. If I navigate to an unencrypted page, my session_id gets reset and I lose access to all my session data. Is this how it's supposed to work? Is there a way to bounce back and forth between http and https pages without resetting the session_id cookie, and still only set the cookie securely. Is there a way to only pass the session_id over ssl, but have the rest of the page be unencrypted? -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
