ahx/validate_session_cookie.rb

## validate_session_cookie.rb
# Store an additional secure cookie and validate the session when using HTTPS.
# This technique is described here: http://railscasts.com/episodes/356-dangers-of-session-hijacking?view=asciicast

# Write the cookie
Warden::Manager.after_authentication do |user, auth, options|
  scope = options[:scope]
  auth.cookies.signed["secure_#{scope}_id"] = { secure: true, value: "secure#{user.id}" }
end

# Validate the session when using HTTPS
Warden::Manager.after_set_user do |user, auth, options|
  return if !auth.request.ssl?
  scope = options[:scope]
  unless auth.cookies.signed["secure_#{scope}_id"] == "secure#{user.id}"
    auth.logout(scope)
  end
end

# Delete the cookie
Warden::Manager.before_logout do |user, auth, options|
  scope = options[:scope]
  auth.cookies.delete("secure_#{scope}_id")
end
	# Store an additional secure cookie and validate the session when using HTTPS.
	# This technique is described here: http://railscasts.com/episodes/356-dangers-of-session-hijacking?view=asciicast

	# Write the cookie
	Warden::Manager.after_authentication do \|user, auth, options\|
	scope = options[:scope]
	auth.cookies.signed["secure_#{scope}_id"] = { secure: true, value: "secure#{user.id}" }
	end

	# Validate the session when using HTTPS
	Warden::Manager.after_set_user do \|user, auth, options\|
	return if !auth.request.ssl?
	scope = options[:scope]
	unless auth.cookies.signed["secure_#{scope}_id"] == "secure#{user.id}"
	auth.logout(scope)
	end
	end

	# Delete the cookie
	Warden::Manager.before_logout do \|user, auth, options\|
	scope = options[:scope]
	auth.cookies.delete("secure_#{scope}_id")
	end