True.
On Jun 21, 7:35 pm, Anthony <abasta...@gmail.com> wrote: > Note, as far as I can tell, setting session.secure() doesn't restrict web2py > from sending the cookie to the browser (i.e., web2py will send the cookie > even if the connection isn't secure) -- it only tells the browser not to > send the cookie back unless over a secure connection. > > Anthony > > > > > > > > On Tuesday, June 21, 2011 8:30:58 PM UTC-4, Anthony wrote: > > On Tuesday, June 21, 2011 7:13:34 PM UTC-4, pbreit wrote: > > >> Where should I put session.secure()? And is it session.secure() or > >> session._secure=True? > > > session.secure() simply does session._secure=True, so they are equivalent > > (though the former seems cleaner). > > > It simply results in the 'Secure' attribute of the session cookie being > > turned on, which doesn't happen until after the controller is run, right > > before the response is returned to the server. So, you can probably set it > > anywhere it makes sense, perhaps in a model. Note, once the cookie is set to > > Secure, the browser will only send it back over an HTTPS connection -- if > > the user goes to a non-HTTPS part of the site, the cookie won't come back, > > and web2py may generate a new session and (non) secure cookie (unless > > nothing is written to the session on the non-HTTPS part of the site). > > > Anthony
