Devise - how does it set session cookies?

The rails session data is stored in cookies by default, does it look like you want to use SSL cookies only?

UPDATED: try adding secure: true to your config/initializers/session_store.rb file, i.e.

 secure_option = (Rails.env.development? || Rails.env.test?) ? false : true YourApp::Application.config.session_store :cookie_store, { key: '_xxxx_session', secure: secure_option } 

When creating Devise cookies, use the rail settings.

original answer

in your config/initializers/devise.rb should be a line that looks like this:

  # :secure => true in order to force SSL only cookies. 

try adding to config.rememberable_options and restarting the rails - NOTE: in development mode you don't need, you can do

 secure_option = (Rails.env.development? || Rails.env.test?) ? false : true config.rememberable_options = { :secure => secure_option } 

see also:

• http://railscasts.com/episodes/356-dangers-of-session-hijacking
• https://github.com/plataformatec/devise/wiki/How-To:-Use-SSL-(HTTPS)