diff options
Diffstat (limited to 'actionpack/lib')
4 files changed, 10 insertions, 3 deletions
diff --git a/actionpack/lib/action_controller/cgi_process.rb b/actionpack/lib/action_controller/cgi_process.rb index d381af1b84..fabacd9b83 100644 --- a/actionpack/lib/action_controller/cgi_process.rb +++ b/actionpack/lib/action_controller/cgi_process.rb @@ -42,7 +42,8 @@ module ActionController #:nodoc: :prefix => "ruby_sess.", # prefix session file names :session_path => "/", # available to all paths in app :session_key => "_session_id", - :cookie_only => true + :cookie_only => true, + :session_http_only=> true } def initialize(cgi, session_options = {}) diff --git a/actionpack/lib/action_controller/rack_process.rb b/actionpack/lib/action_controller/rack_process.rb index 1ace16da07..e8ea3704a8 100644 --- a/actionpack/lib/action_controller/rack_process.rb +++ b/actionpack/lib/action_controller/rack_process.rb @@ -14,7 +14,8 @@ module ActionController #:nodoc: :prefix => "ruby_sess.", # prefix session file names :session_path => "/", # available to all paths in app :session_key => "_session_id", - :cookie_only => true + :cookie_only => true, + :session_http_only=> true } def initialize(env, session_options = DEFAULT_SESSION_OPTIONS) diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb index 5bf7503f04..f2fb200950 100644 --- a/actionpack/lib/action_controller/session/cookie_store.rb +++ b/actionpack/lib/action_controller/session/cookie_store.rb @@ -70,7 +70,8 @@ class CGI::Session::CookieStore 'path' => options['session_path'], 'domain' => options['session_domain'], 'expires' => options['session_expires'], - 'secure' => options['session_secure'] + 'secure' => options['session_secure'], + 'http_only' => options['session_http_only'] } # Set no_hidden and no_cookies since the session id is unused and we diff --git a/actionpack/lib/action_controller/session_management.rb b/actionpack/lib/action_controller/session_management.rb index f5a1155a46..fd3d94ed97 100644 --- a/actionpack/lib/action_controller/session_management.rb +++ b/actionpack/lib/action_controller/session_management.rb @@ -60,6 +60,10 @@ module ActionController #:nodoc: # # the session will only work over HTTPS, but only for the foo action # session :only => :foo, :session_secure => true # + # # the session by default uses HttpOnly sessions for security reasons. + # # this can be switched off. + # session :only => :foo, :session_http_only => false + # # # the session will only be disabled for 'foo', and only if it is # # requested as a web service # session :off, :only => :foo, |