Skip to content

Instantly share code, notes, and snippets.

@JamesFerguson

JamesFerguson/56e55726c8cdc920f48c97187c7fe8b9d2baddc6.diff

Created January 31, 2011 23:06
Show Gist options
  • Save JamesFerguson/805027 to your computer and use it in GitHub Desktop.
Save JamesFerguson/805027 to your computer and use it in GitHub Desktop.
Download ZIP
Diff of one line patch to devise making its remember_scope_token cookie HttpOnly by default
Raw
56e55726c8cdc920f48c97187c7fe8b9d2baddc6.diff
diff --git a/test/integration/rememberable_test.rb b/test/integration/rememberable_test.rb
index 14e66fb..295fab0 100644
--- a/test/integration/rememberable_test.rb
+++ b/test/integration/rememberable_test.rb
@@ -54,6 +54,7 @@ class RememberMeTest < ActionController::IntegrationTest
test 'remember the user before sign in' do
user = create_user_and_remember
get users_path
assert_response :success
assert warden.authenticated?(:user)
assert warden.user(:user) == user
+ assert_match /remember_user_token[^\n]*HttpOnly\n/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token coo
end
Raw
5f98caca1b192c30f1f3774a365a66f786958cae.diff
diff --git a/lib/devise/hooks/rememberable.rb b/lib/devise/hooks/rememberable.rb
index 15c7181..eeeafee 100644
--- a/lib/devise/hooks/rememberable.rb
+++ b/lib/devise/hooks/rememberable.rb
@@ -8,19 +8,20 @@ module Devise
def success!(resource)
super
if succeeded? && resource.respond_to?(:remember_me!) && remember_me?
resource.remember_me!(extend_remember_period?)
configuration = {
:value => resource.class.serialize_into_cookie(resource),
:expires => resource.remember_expires_at,
- :path => "/"
+ :path => "/",
+ :httponly => true
}
configuration[:domain] = resource.cookie_domain if resource.cookie_domain?
cookies.signed["remember_#{scope}_token"] = configuration
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment