Set HttpOnly for cookies using :http_only

SamSaffron · Jul 3, 2013 · 65d3894 · 65d3894
1 parent df7e1e2
commit 65d3894
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
@@ -274,7 +274,7 @@ def set_cookie_header!(header, key, value)
         expires = "; expires=" +
           rfc2822(value[:expires].clone.gmtime) if value[:expires]
         secure = "; secure"  if value[:secure]
-        httponly = "; HttpOnly" if value[:httponly]
+        httponly = "; HttpOnly" if (value.key?(:httponly) ? value[:httponly] : value[:http_only])
         value = value[:value]
       end
       value = [value] unless Array === value

diff --git a/test/spec_response.rb b/test/spec_response.rb
@@ -85,6 +85,18 @@
     response["Set-Cookie"].should.equal "foo=bar; HttpOnly"
   end
 
+  it "can set http only cookies with :http_only" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :http_only => true}
+    response["Set-Cookie"].should.equal "foo=bar; HttpOnly"
+  end
+
+  it "can set prefers :httponly for http only cookie setting when :httponly and :http_only provided" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :httponly => false, :http_only => true}
+    response["Set-Cookie"].should.equal "foo=bar"
+  end
+
   it "can delete cookies" do
     response = Rack::Response.new
     response.set_cookie "foo", "bar"