Someone please correct me if I am wrong, but this issue is one of architecting your applications/environment properly.
If you only ever use https (ie: no http) then all is fine. If you use mixed http & https, then you likely want to set session.secure() (this will set the cookie 'secure' attribute, identifying that the browser should never send the cookie over a non secure channel). The issue is that first connection you use to obtain the cookie. If it is over a non secure channel, the server will send you a cookie with your session id and the secure attribute set. This is an issue in that a 3rd party can acquire your session id over this nonsecure channel. Solution: Unfortunately the cookie is sent whether you are authenticated or not... I believe the only solution is to ensure all web2py calls are over a secure channel. Your settings can still identify that other calls may not be over secure channels though (think static files, etc... in which you bypass web2py). Thoughts??
