config.force_ssl should mark the session as secure.

2 files changed, 33 insertions, 0 deletions

diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb
index 19e8426e60..6d3349c61b 100644
--- a/railties/lib/rails/application.rb
+++ b/railties/lib/rails/application.rb
@@ -266,6 +266,9 @@ module Rails
         middleware.use ::ActionDispatch::Cookies
 
         if config.session_store
+          if config.force_ssl && !config.session_options.key?(:secure)
+            config.session_options[:secure] = true
+          end
           middleware.use config.session_store, config.session_options
           middleware.use ::ActionDispatch::Flash
         end
diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb
new file mode 100644
index 0000000000..f4e77ee244
--- /dev/null
+++ b/railties/test/application/middleware/session_test.rb
@@ -0,0 +1,30 @@
+# encoding: utf-8
+require 'isolation/abstract_unit'
+require 'rack/test'
+
+module ApplicationTests
+  class MiddlewareSessionTest < ActiveSupport::TestCase
+    include ActiveSupport::Testing::Isolation
+    include Rack::Test::Methods
+
+    def setup
+      build_app
+      boot_rails
+      FileUtils.rm_rf "#{app_path}/config/environments"
+    end
+
+    def teardown
+      teardown_app
+    end
+
+    def app
+      @app ||= Rails.application
+    end
+
+    test "config.force_ssl sets cookie to secure only" do
+      add_to_config "config.force_ssl = true"
+      require "#{app_path}/config/environment"
+      assert app.config.session_options[:secure], "Expected session to be marked as secure"
+    end
+  end
+end