From af1295284ccd9d05bec752dd92a2c2ec393ee899 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Valim?= <jose.valim@gmail.com>
Date: Sat, 25 Dec 2010 12:04:04 +0100
Subject: [PATCH] rememberable cookie now is httponly by default

---
 CHANGELOG.rdoc                        | 1 +
 lib/devise/hooks/rememberable.rb      | 3 +++
 test/integration/rememberable_test.rb | 6 +++---
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.rdoc b/CHANGELOG.rdoc
index c23c64d5..fb205f39 100644
--- a/CHANGELOG.rdoc
+++ b/CHANGELOG.rdoc
@@ -6,6 +6,7 @@
   * rails g destroy works properly with devise generators (by github.com/andmej)
   * recall options is now passed forward by hooks (by github.com/siong1987)
   * before_failure callbacks should work on test helpers (by github.com/twinge)
+  * rememberable cookie now is httponly by default (by github.com/JamesFerguson)
 
 * deprecations
   * Deprecated anybody_signed_in? in favor of signed_in? (by github.com/gavinhughes)
diff --git a/lib/devise/hooks/rememberable.rb b/lib/devise/hooks/rememberable.rb
index 0fcbf2f7..322e1359 100644
--- a/lib/devise/hooks/rememberable.rb
+++ b/lib/devise/hooks/rememberable.rb
@@ -18,11 +18,14 @@ module Devise
 
       def cookie_values(resource)
         options = Rails.configuration.session_options.slice(:path, :domain, :secure)
+        options[:httponly] = true
+
         options.merge!(resource.cookie_options)
         options.merge!(
           :value => resource.class.serialize_into_cookie(resource),
           :expires => resource.remember_expires_at
         )
+
         options
       end
 
diff --git a/test/integration/rememberable_test.rb b/test/integration/rememberable_test.rb
index 62e33ecc..24fadf47 100644
--- a/test/integration/rememberable_test.rb
+++ b/test/integration/rememberable_test.rb
@@ -28,9 +28,9 @@ class RememberMeTest < ActionController::IntegrationTest
   end
 
   def cookie_expires(key)
-    cookie = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first
-    cookie.split(";").map(&:strip).grep(/^expires=/)
-    Time.parse($')
+    cookie  = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first
+    expires = cookie.split(";").map(&:strip).grep(/^expires=/).first
+    Time.parse(expires)
   end
 
   test 'do not remember the user if he has not checked remember me option' do