From 8ea992168b24d4d1d1e1b5f85a2558c0aab9f450 Mon Sep 17 00:00:00 2001
From: r888888888 <r888888888@gmail.com>
Date: Tue, 12 Jul 2016 12:30:01 -0700
Subject: [PATCH] add httponly constraint to user_name cookie #2621

---
 app/logical/session_creator.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/logical/session_creator.rb b/app/logical/session_creator.rb
index 8b60032a7..b21c3eb72 100644
--- a/app/logical/session_creator.rb
+++ b/app/logical/session_creator.rb
@@ -18,7 +18,8 @@ class SessionCreator
       if remember.present?
         cookies.permanent.signed[:user_name] = {
           :value => user.name,
-          :secure => secure
+          :secure => secure,
+          :httponly => true
         }
         cookies.permanent[:password_hash] = {
           :value => user.bcrypt_cookie_password_hash,