cookie_domain is deprecated in favor of cookie_options which uses session_options by default.

CHANGELOG.rdoc

@@ -1,6 +1,7 @@
 * deprecations
   * sign_out_all_scopes defaults to true as security measure
   * http authenticatable is disabled by default
+  * cookie_domain is deprecated in favor of cookie_options
 
 * enhancements
   * Added OAuth 2 support
@@ -13,6 +14,7 @@
   * :rememberable is now able to use salt as token if no remember_token is provided
   * Store the salt in session and expire the session if the user changes his password
   * Allow :stateless_token to be set to true avoiding users to be stored in session through token authentication
+  * cookie_options uses session_options values by default
 
 * bugfix
   * after_sign_in_path_for always receives a resource

lib/devise.rb

@@ -52,8 +52,8 @@ module Devise
   }
 
   # Custom domain for cookies. Not set by default
-  mattr_accessor :cookie_domain
-  @@cookie_domain = false
+  mattr_accessor :cookie_options
+  @@cookie_options = {}
 
   # The number of times to encrypt password.
   mattr_accessor :stretches
@@ -214,6 +214,12 @@ module Devise
     yield self
   end
 
+  def self.cookie_domain=(value)
+    ActiveSupport::Deprecation.warn "Devise.cookie_domain=(value) is deprecated. "
+      "Please use Devise.cookie_options = { :domain => value } instead."
+    self.cookie_options[:domain] = value
+  end
+
   # Get the mailer class from the mailer reference object.
   def self.mailer
     @@mailer_ref.get

lib/devise/hooks/forgetable.rb

@@ -5,7 +5,8 @@
 Warden::Manager.before_logout do |record, warden, options|
   if record.respond_to?(:forget_me!)
     record.forget_me! unless record.frozen?
-    cookie_options = record.cookie_domain? ? { :domain => record.cookie_domain } : {}
+    cookie_options = Rails.configuration.session_options.slice(:path, :domain, :secure)
+    cookie_options.merge!(record.cookie_options)
     warden.cookies.delete("remember_#{options[:scope]}_token", cookie_options)
   end
 end

lib/devise/hooks/rememberable.rb

@@ -10,20 +10,22 @@ module Devise
 
         if succeeded? && resource.respond_to?(:remember_me!) && remember_me?
           resource.remember_me!(extend_remember_period?)
-
-          configuration = {
-            :value => resource.class.serialize_into_cookie(resource),
-            :expires => resource.remember_expires_at,
-            :path => "/"
-          }
-
-          configuration[:domain] = resource.cookie_domain if resource.cookie_domain?
-          cookies.signed["remember_#{scope}_token"] = configuration
+          cookies.signed["remember_#{scope}_token"] = cookie_values(resource)
         end
       end
 
     protected
 
+      def cookie_values(resource)
+        options = Rails.configuration.session_options.slice(:path, :domain, :secure)
+        options.merge!(resource.cookie_options)
+        options.merge!(
+          :value => resource.class.serialize_into_cookie(resource),
+          :expires => resource.remember_expires_at
+        )
+        options
+      end
+
       def succeeded?
         @result == :success
       end

lib/devise/models/rememberable.rb

@@ -17,7 +17,7 @@ module Devise
     #
     #   * +remember_for+: the time you want the user will be remembered without
     #     asking for credentials. After this time the user will be blocked and
-    #     will have to enter his credentials again. This configuration is als
+    #     will have to enter his credentials again. This configuration is also
     #     used to calculate the expires time for the cookie created to remember
     #     the user. By default remember_for is 2.weeks.
     #
@@ -29,6 +29,8 @@ module Devise
     #   * +extend_remember_period+: if true, extends the user's remember period
     #     when remembered via cookie. False by default.
     #
+    #   * +cookie_options+: configuration options passed to the created cookie.
+    #
     # == Examples
     #
     #   User.find(1).remember_me!  # regenerating the token
@@ -73,18 +75,14 @@ module Devise
         remember_created_at + self.class.remember_for
       end
 
-      def cookie_domain
-        self.class.cookie_domain
-      end
-
-      def cookie_domain?
-        self.class.cookie_domain != false
-      end
-
       def rememberable_value
         respond_to?(:remember_token) ? self.remember_token : self.authenticatable_salt
       end
 
+      def cookie_options
+        self.class.cookie_options
+      end
+
     protected
 
       # Generate a token unless remember_across_browsers is true and there is
@@ -117,7 +115,7 @@ module Devise
         end
 
         Devise::Models.config(self, :remember_for, :remember_across_browsers,
-          :extend_remember_period, :cookie_domain)
+          :extend_remember_period, :cookie_options)
       end
     end
   end

test/integration/rememberable_test.rb

@@ -43,16 +43,26 @@ class RememberMeTest < ActionController::IntegrationTest
     assert request.cookies["remember_user_token"]
   end
 
-  test 'generate remember token after sign in setting cookie domain' do
+  test 'generate remember token after sign in setting cookie options' do
     # We test this by asserting the cookie is not sent after the redirect
     # since we changed the domain. This is the only difference with the
     # previous test.
-    swap User, :cookie_domain => "omg.somewhere.com" do
+    swap Devise, :cookie_options => { :domain => "omg.somewhere.com" } do
       user = sign_in_as_user :remember_me => true
       assert_nil request.cookies["remember_user_token"]
     end
   end
 
+  test 'generate remember token after sign in setting session options' do
+    begin
+      Rails.configuration.session_options[:domain] = "omg.somewhere.com"
+      user = sign_in_as_user :remember_me => true
+      assert_nil request.cookies["remember_user_token"]
+    ensure
+      Rails.configuration.session_options.delete(:domain)
+    end
+  end
+
   test 'remember the user before sign in' do
     user = create_user_and_remember
     get users_path