ActionMailer per default uses http as protocol, which enables SSL-stripping. When a logged-in user follows an http link to your application, it sends the cookies along with it. Although the application redirects the user to https and from that point has a secure connection to the user, an attacker may overhear that first unsafe request and hijack your session.
Teach ActionMailer to use the right protocol
If your application is behind SSL, turn on using https application-wide. In your environment file (either global or per environment, e.g. production only):
config.action_mailer.default_url_options = { :protocol => 'https', :host => 'your-application-host.com' }
If you want to send emails from public parts of your application with HTTP links and emails from SSL-protected parts with HTTPS, build a before_filter.
If you need certain links with HTTP, independent from the request's protocol, set the protocol per link:
= link_to 'My App', root_url(:protocol => 'http') # per link
Also see Make ActionMailer use the current request host and protocol for URL generation
