Here are a couple of helper methods for ensuring forms are set to submit via https in the production environment (but not in dev), and for redirecting back out of SSL afterward. Since SSL can be resource intensive on the server, it's usually good to hop back out into cleartext unless the nature of the application (e.g., financials) warrants encrypting the whole session.
To create a form that uses, SSL, just replace form_tag with form_tag_using_SSL_in_production.In application_helper.rb:
def form_tag_using_SSL_in_production form_args, &block
form_args[:protocol], form_args[:only_path] = 'https', false if production?
form_tag form_args, &block
form_for is the preferred helper ... if it's actually a "form for" a model object, which this one was not. I'll leave the analogous form_for_using_SSL... as an exercise for the reader.
When you're done with the relevant action processing, any content rendered is going to get sent back under the SSL connection. At some point (in my case, immediately) you want to redirect out of SSL. Just use redirect_and_drop_SSL the same way you would use redirect_to.
def redirect_and_drop_SSL destination
destination[:protocol], destination[:only_path] = 'http', false if request.ssl?
You might be thinking this stuff is too trivial to post about, and anyone who needs to use SSL knows this stuff already. Unfortunately, that's not entirely the case, as I'll write about in my next post.