groan, I posted something and it doesn't show up: apologies for double posting if the previous one shows up in a few....
The "issue" is that you are not session.forget()ting the requests going to the http realm: what you are doing is overriding the cookie before redirecting. Both the browser and web2py behave consistently. Case without session.forget(): 1. https://something - browser: none - web2py: set-cookie abcd secure 2. https://something - browser: abcd - web2py: set-cookie abcd secure 3. http://something - browser: none ("I must not send a secured cookie back to the domain without https") - web2py: location https://something, set-cookie defg ("User is new around here, let's create a new session") 4. https://something - browser: defg ("I can send the cookie I received before because it was not secured") - web2py: set-cookie defg secure When you set session.forget() for the http realm, all goes well: 1. https://something - browser: none - web2py: set-cookie abcd secure 2. https://something - browser: abcd - web2py: set-cookie abcd secure 3. http://something - browser: none - web2py: location https://something 4. https://something - browser: abcd ("No new cookies were issued, so I use the one set before, it's a https request with a secured cookie, send abcd back") - web2py: set-cookie abcd secure PS: the issue presents itself only if you do redirections within web2py without session.forget()... a normal webserver issues only the *Location*header and sets no cookies when set to redirect something, so it behaves "more correctly" and exactly like web2py with session.forget() enabled. --
