Security: Make 'token' cookie HTTP-only

This prevents malicious JavaScript code injected by a XSS attack from reading your "Remember me" token, and getting long-term access to your account. Note that not all browsers honor :http_only, and of those that do, some allow it to be bypassed using XmlHttpRequest.
emk · Dec 11, 2008 · f9d3c10 · f9d3c10
1 parent 5186bb4
commit f9d3c10
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/RAILS-2.2-TODO.txt b/RAILS-2.2-TODO.txt
@@ -15,8 +15,8 @@ We need to do a basic security audit.
 X   Can we restrict admin cookies to /admin ? No--need /accounts, too.
 /   Make sure logging out clears all relevant cookies and tokens
 /   Check for session fixation attacks
+/   Make sure cookies are HTTP-only whenever possible
     Expire sessions after a while?
-    Make sure cookies are HTTP-only whenever possible
   Cross-site scripting
 /   Turn on protect_against_forgery
     Check all fields in comments

diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
@@ -15,7 +15,7 @@ def login
     return unless request.post?
     self.current_user = User.authenticate_for(site, params[:login], params[:password])
     if logged_in?
-      cookies[:token] = { :value => current_user.reset_token!, :expires => Time.now.utc+2.weeks } if params[:remember_me] == "1"
+      cookies[:token] = { :value => current_user.reset_token!, :expires => Time.now.utc+2.weeks, :http_only => true } if params[:remember_me] == "1"
       return redirect_back_or_default(default_url(self.current_user))
     end
     flash.now[:error] = "Could not log you in. Are you sure your Login name and Password are correct?"