Note, as far as I can tell, setting session.secure() doesn't restrict web2py from sending the cookie to the browser (i.e., web2py will send the cookie even if the connection isn't secure) -- it only tells the browser not to send the cookie back unless over a secure connection. Anthony
On Tuesday, June 21, 2011 8:30:58 PM UTC-4, Anthony wrote: > On Tuesday, June 21, 2011 7:13:34 PM UTC-4, pbreit wrote: >> >> Where should I put session.secure()? And is it session.secure() or >> session._secure=True? > > > session.secure() simply does session._secure=True, so they are equivalent > (though the former seems cleaner). > > It simply results in the 'Secure' attribute of the session cookie being > turned on, which doesn't happen until after the controller is run, right > before the response is returned to the server. So, you can probably set it > anywhere it makes sense, perhaps in a model. Note, once the cookie is set to > Secure, the browser will only send it back over an HTTPS connection -- if > the user goes to a non-HTTPS part of the site, the cookie won't come back, > and web2py may generate a new session and (non) secure cookie (unless > nothing is written to the session on the non-HTTPS part of the site). > > Anthony >
