fixes #1851

app/logical/session_creator.rb

@@ -1,12 +1,13 @@
 class SessionCreator
-  attr_reader :session, :cookies, :name, :password, :remember
+  attr_reader :session, :cookies, :name, :password, :remember, :secure
 
-  def initialize(session, cookies, name, password, remember)
+  def initialize(session, cookies, name, password, remember = false, secure = false)
     @session = session
     @cookies = cookies
     @name = name
     @password = password
     @remember = remember
+    @secure = secure
   end
 
   def authenticate
@@ -15,8 +16,15 @@ class SessionCreator
       user.update_column(:last_logged_in_at, Time.now)
 
       if remember.present?
-        cookies.permanent.signed[:user_name] = user.name
-        cookies.permanent[:password_hash] = user.bcrypt_cookie_password_hash
+        cookies.permanent.signed[:user_name] = {
+          :value => user.name,
+          :secure => secure
+        }
+        cookies.permanent[:password_hash] = {
+          :value => user.bcrypt_cookie_password_hash,
+          :secure => secure,
+          :httponly => true
+        }
       end
 
       session[:user_id] = user.id