On Tuesday, June 21, 2011 7:13:34 PM UTC-4, pbreit wrote: > > Where should I put session.secure()? And is it session.secure() or > session._secure=True?
session.secure() simply does session._secure=True, so they are equivalent (though the former seems cleaner). It simply results in the 'Secure' attribute of the session cookie being turned on, which doesn't happen until after the controller is run, right before the response is returned to the server. So, you can probably set it anywhere it makes sense, perhaps in a model. Note, once the cookie is set to Secure, the browser will only send it back over an HTTPS connection -- if the user goes to a non-HTTPS part of the site, the cookie won't come back, and web2py may generate a new session and (non) secure cookie (unless nothing is written to the session on the non-HTTPS part of the site). Anthony
