aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller
diff options
context:
space:
mode:
Diffstat (limited to 'actionpack/lib/action_controller')
-rw-r--r--actionpack/lib/action_controller/cgi_process.rb3
-rw-r--r--actionpack/lib/action_controller/rack_process.rb3
-rw-r--r--actionpack/lib/action_controller/session/cookie_store.rb3
-rw-r--r--actionpack/lib/action_controller/session_management.rb4
4 files changed, 10 insertions, 3 deletions
diff --git a/actionpack/lib/action_controller/cgi_process.rb b/actionpack/lib/action_controller/cgi_process.rb
index d381af1b84..fabacd9b83 100644
--- a/actionpack/lib/action_controller/cgi_process.rb
+++ b/actionpack/lib/action_controller/cgi_process.rb
@@ -42,7 +42,8 @@ module ActionController #:nodoc:
:prefix => "ruby_sess.", # prefix session file names
:session_path => "/", # available to all paths in app
:session_key => "_session_id",
- :cookie_only => true
+ :cookie_only => true,
+ :session_http_only=> true
}
def initialize(cgi, session_options = {})
diff --git a/actionpack/lib/action_controller/rack_process.rb b/actionpack/lib/action_controller/rack_process.rb
index 1ace16da07..e8ea3704a8 100644
--- a/actionpack/lib/action_controller/rack_process.rb
+++ b/actionpack/lib/action_controller/rack_process.rb
@@ -14,7 +14,8 @@ module ActionController #:nodoc:
:prefix => "ruby_sess.", # prefix session file names
:session_path => "/", # available to all paths in app
:session_key => "_session_id",
- :cookie_only => true
+ :cookie_only => true,
+ :session_http_only=> true
}
def initialize(env, session_options = DEFAULT_SESSION_OPTIONS)
diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb
index 5bf7503f04..f2fb200950 100644
--- a/actionpack/lib/action_controller/session/cookie_store.rb
+++ b/actionpack/lib/action_controller/session/cookie_store.rb
@@ -70,7 +70,8 @@ class CGI::Session::CookieStore
'path' => options['session_path'],
'domain' => options['session_domain'],
'expires' => options['session_expires'],
- 'secure' => options['session_secure']
+ 'secure' => options['session_secure'],
+ 'http_only' => options['session_http_only']
}
# Set no_hidden and no_cookies since the session id is unused and we
diff --git a/actionpack/lib/action_controller/session_management.rb b/actionpack/lib/action_controller/session_management.rb
index f5a1155a46..fd3d94ed97 100644
--- a/actionpack/lib/action_controller/session_management.rb
+++ b/actionpack/lib/action_controller/session_management.rb
@@ -60,6 +60,10 @@ module ActionController #:nodoc:
# # the session will only work over HTTPS, but only for the foo action
# session :only => :foo, :session_secure => true
#
+ # # the session by default uses HttpOnly sessions for security reasons.
+ # # this can be switched off.
+ # session :only => :foo, :session_http_only => false
+ #
# # the session will only be disabled for 'foo', and only if it is
# # requested as a web service
# session :off, :only => :foo,
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-02 08:32:23 +0000