diff --git a/config/initializers/auto_secure_cookies.rb b/config/initializers/auto_secure_cookies.rb
new file mode 100644
index 0000000..004795f
--- /dev/null
+++ b/config/initializers/auto_secure_cookies.rb
@@ -0,0 +1,17 @@
+# rails only allows to globally flag session cookies as either secure or not
+# this patch sets the secure flag for cookies based on the protocol (@secure)
+# this is used to send cookies via http but flag them secure for https
+# which allows use with HTTP over Tor for an onion domain
+# this is acceptable because nginx redirects clearnet http to https
+
+module ActionDispatch
+  class Cookies
+    class CookieJar
+      private
+      def write_cookie?(cookie)
+        cookie[:secure] = @secure
+        true
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index d2c5fb0..b9c9633 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -6,4 +6,4 @@
 Redstoner::Application.config.session_store :active_record_store,
   key: 'redstoner_session',
   expire_after: 5.days,
-  secure: Rails.env.production?
\ No newline at end of file
+  secure: nil # see config/initializers/auto_secure_cookies.rb
\ No newline at end of file