Rails Devise SSL Session Mix Up on Production

Question

I've deployed my app on to a Ubuntu VPS using Capistrano, nginx/ Passenger and a wildcard SSL certificate.

The app works fine on development and my staging environment on Heroku.

However, there are two problems on production when users sign into the site using a secure page.

1. On latest Chrome and Firefox the browsers start to enforce HTTPS requests on every single request every time. Regardless if the user is signed in or not. Even if I disable SSL on nginx the browser still attempts HTTPS and complains it cannot connect. The main page serves some insecure dynamic embedded items and uses an insecure CDN so I would like to serve that page as non- SSL. Whenever I tried to redirect a page to non-SSL either through nginx rewrite or a before filter in Rails it will cause an infinite redirect loop.

2. Safari does not have the first problem as above it respects both HTTPS and HTTP requests. However, when the user has logged in and browses to a non-SSL page they are signed out or lose the session instantly.

Has anyone encountered such a problem before or have an idea on how I could diagnose/fix the problem?

Thanks

Answer 1

Were you using Rails 3.1 force_ssl to enable SSL, or a gem?

When you enabled HTTPS, you also enabled the the HTTP Strict Transport Security flag, which the browse uses to immediately go to any HTTPS page on that domain before it sends the request to the server.

On Chrome, enter chrome://net-internals/#hsts into your browser and then you can delete your domain from the HSTS list which should fix it for Chrome. Can't speak for Firefox as I don't use it that often.

The issue with it losing session is likely because Rails is setting the authentication cookie as secure which means they are only sent for HTTPS requests and not HTTP. Make sure your cookie_options in Rails are not setting :secure => true. Also check the Devise cookie_options setting to ensure that :secure => true isn't being set.