From ee6163ed9584509b19fab7f8c50e4c228a9e30da Mon Sep 17 00:00:00 2001
From: Pelle Braendgaard <pelleb@gmail.com>
Date: Sun, 14 Sep 2008 20:26:51 -0700
Subject: [PATCH] Added support for http_only cookies in cookie_store

---
 actionpack/lib/action_controller/cgi_process.rb    |    3 ++-
 .../lib/action_controller/session/cookie_store.rb  |    3 ++-
 .../lib/action_controller/session_management.rb    |    4 ++++
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/actionpack/lib/action_controller/cgi_process.rb b/actionpack/lib/action_controller/cgi_process.rb
index d381af1..fabacd9 100644
--- a/actionpack/lib/action_controller/cgi_process.rb
+++ b/actionpack/lib/action_controller/cgi_process.rb
@@ -42,7 +42,8 @@ module ActionController #:nodoc:
       :prefix           => "ruby_sess.",    # prefix session file names
       :session_path     => "/",             # available to all paths in app
       :session_key      => "_session_id",
-      :cookie_only      => true
+      :cookie_only      => true,
+      :session_http_only=> true
     }
 
     def initialize(cgi, session_options = {})
diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb
index 5bf7503..f2fb200 100644
--- a/actionpack/lib/action_controller/session/cookie_store.rb
+++ b/actionpack/lib/action_controller/session/cookie_store.rb
@@ -70,7 +70,8 @@ class CGI::Session::CookieStore
       'path'    => options['session_path'],
       'domain'  => options['session_domain'],
       'expires' => options['session_expires'],
-      'secure'  => options['session_secure']
+      'secure'  => options['session_secure'],
+      'http_only' => options['session_http_only']
     }
 
     # Set no_hidden and no_cookies since the session id is unused and we
diff --git a/actionpack/lib/action_controller/session_management.rb b/actionpack/lib/action_controller/session_management.rb
index f5a1155..fd3d94e 100644
--- a/actionpack/lib/action_controller/session_management.rb
+++ b/actionpack/lib/action_controller/session_management.rb
@@ -60,6 +60,10 @@ module ActionController #:nodoc:
       #   # the session will only work over HTTPS, but only for the foo action
       #   session :only => :foo, :session_secure => true
       #
+      #   # the session by default uses HttpOnly sessions for security reasons.
+      #   # this can be switched off.
+      #   session :only => :foo, :session_http_only => false
+      #
       #   # the session will only be disabled for 'foo', and only if it is
       #   # requested as a web service
       #   session :off, :only => :foo,
-- 
1.5.5.3