add httponly constraint to user_name cookie #2621

2016-07-12 12:30:01 -07:00
parent c2d09af089
commit 8ea992168b
1 changed files with 2 additions and 1 deletions
--- a/app/logical/session_creator.rb
+++ b/app/logical/session_creator.rb
@@ -18,7 +18,8 @@ class SessionCreator
      if remember.present?
        cookies.permanent.signed[:user_name] = {
          :value => user.name,
-          :secure => secure
+          :secure => secure,
+          :httponly => true
        }
        cookies.permanent[:password_hash] = {
          :value => user.bcrypt_cookie_password_hash,