config.force_ssl should mark the session as secure.

railties/CHANGELOG.md

@@ -1,5 +1,9 @@
 ## Rails 3.1.4 (unreleased) ##
 
+*   Setting config.force_ssl also marks the session cookie as secure.
+
+    *José Valim*
+
 *   Add therubyrhino to Gemfile in new applications when running under JRuby.
 
     *Guillermo Iguaran*
@@ -35,6 +39,8 @@
     Plugins developers need to special case their initializers that are
     meant to be run in the assets group by adding :group => :assets.
 
+    *José Valim*
+
 
 ## Rails 3.1.0 (August 30, 2011) ##
 

railties/lib/rails/application.rb

@@ -175,6 +175,9 @@ def default_middleware_stack
         middleware.use ::ActionDispatch::Cookies
 
         if config.session_store
+          if config.force_ssl && !config.session_options.key?(:secure)
+            config.session_options[:secure] = true
+          end
           middleware.use config.session_store, config.session_options
           middleware.use ::ActionDispatch::Flash
         end

railties/test/application/middleware/session_test.rb

@@ -0,0 +1,30 @@
+# encoding: utf-8
+require 'isolation/abstract_unit'
+require 'rack/test'
+
+module ApplicationTests
+  class MiddlewareSessionTest < ActiveSupport::TestCase
+    include ActiveSupport::Testing::Isolation
+    include Rack::Test::Methods
+
+    def setup
+      build_app
+      boot_rails
+      FileUtils.rm_rf "#{app_path}/config/environments"
+    end
+
+    def teardown
+      teardown_app
+    end
+
+    def app
+      @app ||= Rails.application
+    end
+
+    test "config.force_ssl sets cookie to secure only" do
+      add_to_config "config.force_ssl = true"
+      require "#{app_path}/config/environment"
+      assert app.config.session_options[:secure], "Expected session to be marked as secure"
+    end
+  end
+end