config.force_ssl should mark the session as secure.

railties/lib/rails/application.rb

@@ -258,6 +258,9 @@ module Rails
         middleware.use ::ActionDispatch::Cookies
 
         if config.session_store
+          if config.force_ssl && !config.session_options.key?(:secure)
+            config.session_options[:secure] = true
+          end
           middleware.use config.session_store, config.session_options
           middleware.use ::ActionDispatch::Flash
         end

railties/test/application/middleware/session_test.rb

@@ -0,0 +1,30 @@
+# encoding: utf-8
+require 'isolation/abstract_unit'
+require 'rack/test'
+
+module ApplicationTests
+  class MiddlewareSessionTest < ActiveSupport::TestCase
+    include ActiveSupport::Testing::Isolation
+    include Rack::Test::Methods
+
+    def setup
+      build_app
+      boot_rails
+      FileUtils.rm_rf "#{app_path}/config/environments"
+    end
+
+    def teardown
+      teardown_app
+    end
+
+    def app
+      @app ||= Rails.application
+    end
+
+    test "config.force_ssl sets cookie to secure only" do
+      add_to_config "config.force_ssl = true"
+      require "#{app_path}/config/environment"
+      assert app.config.session_options[:secure], "Expected session to be marked as secure"
+    end
+  end
+end