From 80c1c13ce3d8c0df8b4256e16593ca9eef3761ab Mon Sep 17 00:00:00 2001
From: r888888888 <r888888888@gmail.com>
Date: Fri, 26 Jul 2013 17:37:44 -0700
Subject: [PATCH] fixes #1851

---
 app/controllers/sessions_controller.rb |  2 +-
 app/logical/session_creator.rb         | 16 ++++++++++++----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 7634984a9..a493bf9a3 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -4,7 +4,7 @@ class SessionsController < ApplicationController
   end
 
   def create
-    session_creator = SessionCreator.new(session, cookies, params[:name], params[:password], params[:remember])
+    session_creator = SessionCreator.new(session, cookies, params[:name], params[:password], params[:remember], request.ssl?)
 
     if session_creator.authenticate
       url = params[:url] if params[:url] && params[:url].start_with?("/")
diff --git a/app/logical/session_creator.rb b/app/logical/session_creator.rb
index 4230a6037..4ce44e334 100644
--- a/app/logical/session_creator.rb
+++ b/app/logical/session_creator.rb
@@ -1,12 +1,13 @@
 class SessionCreator
-  attr_reader :session, :cookies, :name, :password, :remember
+  attr_reader :session, :cookies, :name, :password, :remember, :secure
 
-  def initialize(session, cookies, name, password, remember)
+  def initialize(session, cookies, name, password, remember = false, secure = false)
     @session = session
     @cookies = cookies
     @name = name
     @password = password
     @remember = remember
+    @secure = secure
   end
 
   def authenticate
@@ -15,8 +16,15 @@ class SessionCreator
       user.update_column(:last_logged_in_at, Time.now)
 
       if remember.present?
-        cookies.permanent.signed[:user_name] = user.name
-        cookies.permanent[:password_hash] = user.bcrypt_cookie_password_hash
+        cookies.permanent.signed[:user_name] = {
+          :value => user.name,
+          :secure => secure
+        }
+        cookies.permanent[:password_hash] = {
+          :value => user.bcrypt_cookie_password_hash,
+          :secure => secure,
+          :httponly => true
+        }
       end
 
       session[:user_id] = user.id