allow secure session cookies through proxy or to localhost

lib/rack/session/abstract/id.rb

@@ -257,6 +257,7 @@ def initialize(app, options = {})
           @app = app
           @default_options = self.class::DEFAULT_OPTIONS.merge(options)
           @key = @default_options.delete(:key)
+          @trust_proxy = @default_options.delete(:trust_proxy)
           @cookie_only = @default_options.delete(:cookie_only)
           @same_site = @default_options.delete(:same_site)
           initialize_sid
@@ -368,7 +369,9 @@ def force_options?(options)
 
         def security_matches?(request, options)
           return true unless options[:secure]
-          request.ssl?
+          # OK to send a secure token over ssl, or to local host
+          # or if the instance is running behind a proxy that handles ssl
+          request.ssl? || request.host == 'localhost' || @trust_proxy
         end
 
         # Acquires the session from the environment and the session id from