rememberable cookie now is httponly by default

CHANGELOG.rdoc

@@ -6,6 +6,7 @@
   * rails g destroy works properly with devise generators (by github.com/andmej)
   * recall options is now passed forward by hooks (by github.com/siong1987)
   * before_failure callbacks should work on test helpers (by github.com/twinge)
+  * rememberable cookie now is httponly by default (by github.com/JamesFerguson)
 
 * deprecations
   * Deprecated anybody_signed_in? in favor of signed_in? (by github.com/gavinhughes)

lib/devise/hooks/rememberable.rb

@@ -18,11 +18,14 @@ module Devise
 
       def cookie_values(resource)
         options = Rails.configuration.session_options.slice(:path, :domain, :secure)
+        options[:httponly] = true
+
         options.merge!(resource.cookie_options)
         options.merge!(
           :value => resource.class.serialize_into_cookie(resource),
           :expires => resource.remember_expires_at
         )
+
         options
       end
 

test/integration/rememberable_test.rb

@@ -28,9 +28,9 @@ class RememberMeTest < ActionController::IntegrationTest
   end
 
   def cookie_expires(key)
-    cookie = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first
+    cookie  = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first
-    cookie.split(";").map(&:strip).grep(/^expires=/)
+    expires = cookie.split(";").map(&:strip).grep(/^expires=/).first
-    Time.parse($')
+    Time.parse(expires)
   end
 
   test 'do not remember the user if he has not checked remember me option' do