Turns out, Rails cookies can be dangerous and they don’t play nice with others.

Signed and encrypted cookies (sessions, remember me etc..) are serialized using Marshal which is problematic for two reasons: security (someone with the session key can execute arbitrary code server side)and compatibility (you can’t share a session with a non Ruby app).

You can’t currently change Rails default serializer, but here is a monkey patch for Rails 4. And here is a discussion about changing Rails default serializer.

Please consider helping with the pull request the Rails team wants us to come up with.