Getting SSL, Capybara, Rails 3, and Devise to work together

application.rb

# config/application.rb 

Bundler.require(:default, Rails.env) if defined?(Bundler)
 
require 'rack/ssl' # add this before the app definition

module YourApp
  class Application < Rails::Application
    # <snip>
    config.middleware.insert_before ActionDispatch::Cookies, Rack::SSL
    # <snip>
  end
end


# when Rails 3.1 ships you can get rid of the rack/ssl require, and just
# add config.force_ssl = true to the above

application_controller.rb

# app/controllers/application_controller.rb

def default_url_options(options = {})
  options.merge(protocol: "https")
end

devise.rb

# config/initializers/devise.rb 
# httponly: true is not needed for SSL enforcement but I think it's a good default
config.cookie_options = { secure: true, httponly: true }

failure_app.rb

# lib/failure_app.rb
# found this on the devise wiki but can't find the page anymore
# make sure this code gets loaded; if it's in lib you need to require it
# explicitly or make lib/ an autoload path

class CustomFailure < Devise::FailureApp
  def redirect_url
    new_user_session_url(protocol: "https")
  end

  # You need to override respond to eliminate recall
  def respond
    if http_auth?
      http_auth
    else
      redirect
    end
  end
end

Gemfile

gem "rack-ssl", "1.3.2"

# when Capybara issue 409 or 422 get resolved, you can switch back to the official
# capybara gem
# https://github.com/jnicklas/capybara/pull/409
# https://github.com/jnicklas/capybara/pull/422

gem "capybara", git: "https://github.com/mcolyer/capybara.git", branch: "fix-ssl-redirects"

session_store.rb

# config/initializers/session_store.rb 
# this probably isn't needed since Rack::SSL handles it, but just for good measure

YourApp::Application.config.session_store :cookie_store, 
  :key => '_yourapp_secure_session',
  :secure => true,
  :httponly => true