JamesFerguson · December 21, 2010 00:26
diff --git a/environment.rb b/environment.rb
 # config/environment.rb
 # ...
 Dir[Rails.root + 'lib/monkey_patches/**/*.rb'].each { |file| require file }
 # ...
diff --git a/rememberable.rb b/rememberable.rb
 # lib/monkey_patches/devise/hooks/rememberable.rb
 # monkey patch to make remember_#{scope}_token cookie be ':httponly => true'
 module Devise
  module Hooks
    module Rememberable
      def success!(resource)
        super
      
        if succeeded? && resource.respond_to?(:remember_me!) && remember_me?
          resource.remember_me!(extend_remember_period?)
      
          configuration = {
            :value => resource.class.serialize_into_cookie(resource),
            :expires => resource.remember_expires_at,
            :path => "/",
            :httponly => true
          }
      
          configuration[:domain] = resource.cookie_domain if resource.cookie_domain?
          cookies.signed["remember_#{scope}_token"] = configuration
          
        end
      end
    end
  end
 end
diff --git a/sessions_controller_spec.rb b/sessions_controller_spec.rb
 # spec/controllers/devise/sessions_controller_spec.rb
 require 'spec_helper'

 describe Devise::SessionsController do
  before(:each) do
    request.env['devise.mapping'] = Devise.mappings[:user]
  end
  
  describe "POST create" do
    it "sets an HttpOnly remember me cookie when the user checks 'Remember Me'" do
      @mock_user = mock_model(User, :valid_for_authentication? => true, :to_int => 1001).as_null_object
      User.stub(:find).and_return(@mock_user)
      
      post :create, :user => { :email => "[email protected]", :password => "1234567890", :remember_me => "1" }
      assert_match /remember_user_token[^\n]*HttpOnly/, response.headers["Set-Cookie"]
    end
  end
 end
	# config/environment.rb
	# ...
	Dir[Rails.root + 'lib/monkey_patches/*/.rb'].each { \|file\| require file }
	# ...
	# lib/monkey_patches/devise/hooks/rememberable.rb
	# monkey patch to make remember_#{scope}_token cookie be ':httponly => true'
	module Devise
	module Hooks
	module Rememberable
	def success!(resource)
	super

	if succeeded? && resource.respond_to?(:remember_me!) && remember_me?
	resource.remember_me!(extend_remember_period?)

	configuration = {
	:value => resource.class.serialize_into_cookie(resource),
	:expires => resource.remember_expires_at,
	:path => "/",
	:httponly => true
	}

	configuration[:domain] = resource.cookie_domain if resource.cookie_domain?
	cookies.signed["remember_#{scope}_token"] = configuration

	end
	end
	end
	end
	end
	# spec/controllers/devise/sessions_controller_spec.rb
	require 'spec_helper'

	describe Devise::SessionsController do
	before(:each) do
	request.env['devise.mapping'] = Devise.mappings[:user]
	end

	describe "POST create" do
	it "sets an HttpOnly remember me cookie when the user checks 'Remember Me'" do
	@mock_user = mock_model(User, :valid_for_authentication? => true, :to_int => 1001).as_null_object
	User.stub(:find).and_return(@mock_user)

	post :create, :user => { :email => "[email protected]", :password => "1234567890", :remember_me => "1" }
	assert_match /remember_user_token[^\n]*HttpOnly/, response.headers["Set-Cookie"]
	end
	end
	end