Merge pull request #2276 from manyfold3d/remember-cookie-respect-https

Make the "remember me" cookie HTTPS-only if appropriate

config/initializers/devise.rb

@@ -174,7 +174,7 @@
 
   # Options to be passed to the created cookie. For instance, you can set
   # secure: true in order to force SSL only cookies.
-  # config.rememberable_options = {}
+  config.rememberable_options = {secure: (ENV.fetch("HTTPS_ONLY", nil) === "enabled")}
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this