Deprecate ActionController::Response#set_cookie :http_only option infavor of :httponly

2 files changed, 4 insertions, 1 deletions

diff --git a/actionpack/lib/action_controller/cookies.rb b/actionpack/lib/action_controller/cookies.rb
index 840ceb5abd..ca380e98d0 100644
--- a/actionpack/lib/action_controller/cookies.rb
+++ b/actionpack/lib/action_controller/cookies.rb
@@ -41,7 +41,7 @@ module ActionController #:nodoc:
   # * <tt>:expires</tt> - The time at which this cookie expires, as a Time object.
   # * <tt>:secure</tt> - Whether this cookie is a only transmitted to HTTPS servers.
   #   Default is +false+.
-  # * <tt>:http_only</tt> - Whether this cookie is accessible via scripting or
+  # * <tt>:httponly</tt> - Whether this cookie is accessible via scripting or
   #   only HTTP. Defaults to +false+.
   module Cookies
     def self.included(base)
diff --git a/actionpack/lib/action_controller/response.rb b/actionpack/lib/action_controller/response.rb
index 4533c12074..6659907975 100644
--- a/actionpack/lib/action_controller/response.rb
+++ b/actionpack/lib/action_controller/response.rb
@@ -169,6 +169,9 @@ module ActionController # :nodoc:
 
     def set_cookie(key, value)
       if value.has_key?(:http_only)
+        ActiveSupport::Deprecation.warn(
+          "The :http_only option in ActionController::Response#set_cookie " +
+          "has been renamed. Please use :httponly instead.", caller)
         value[:httponly] ||= value.delete(:http_only)
       end