We recently switched our rails3 web site login over to use https.
Unfortunately, this is preventing users using Internet Explorer from
logging into our site.
The problem seems to be the issue described in this SO post:
http://stackoverflow.com/questions/2577026/cookie-not-renewing-overwriting-in-ie
I've confirmed using Fiddler that IE is indeed sending two cookies
when devise issues a redirect following a successful login. Then
rails seems to using the first non-authenticated session cookie to re-
establish the session, hence our site thinks the user is not logged
in.
Wondering if anyone has experienced this and knows a workaround. In
the SO post, the solution seemed to be to always issue cookies using
the base domain. When logging into our site with https, we use a
subdomain e.g.
secure.outsite.com rather than just
oursite.com.
Anyone know whether we can change something in our Rails/Devise config
to cause the session cookies to be issued with the base domain?
Logging in with https works fine in other browsers and when using http
in IE.
Thanks
Martin