From 9848e26190436df1f834e274811ca462aa6164c8 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Thu, 27 Oct 2016 15:15:58 +1100
Subject: [PATCH] FIX: force secure cookies on session if force https is
 enabled

---
 config/initializers/100-session_store.rb |  4 +++-
 lib/discourse_cookie_store.rb            | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 lib/discourse_cookie_store.rb

diff --git a/config/initializers/100-session_store.rb b/config/initializers/100-session_store.rb
index e89e764e869..d83a343e0c3 100644
--- a/config/initializers/100-session_store.rb
+++ b/config/initializers/100-session_store.rb
@@ -1,7 +1,9 @@
 # Be sure to restart your server when you modify this file.
+#
+require_dependency 'discourse_cookie_store'
 
 Discourse::Application.config.session_store(
-  :cookie_store,
+  :discourse_cookie_store,
   key: '_forum_session',
   path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
 )
diff --git a/lib/discourse_cookie_store.rb b/lib/discourse_cookie_store.rb
new file mode 100644
index 00000000000..23745a79133
--- /dev/null
+++ b/lib/discourse_cookie_store.rb
@@ -0,0 +1,16 @@
+class ActionDispatch::Session::DiscourseCookieStore < ActionDispatch::Session::CookieStore
+  def initialize(app, options={})
+    super(app,options)
+  end
+
+  private
+
+  def set_cookie(request, session_id, cookie)
+    if Hash === cookie
+      if SiteSetting.force_https
+        cookie[:secure] = true
+      end
+    end
+    cookie_jar(request)[@key] = cookie
+  end
+end