Permalink
Browse files

Adding HttpOnly to session cookie in order to raise the barrier to XS…

…S cookie theft
  • Loading branch information...
1 parent e09b31f commit 899a4a7b491457ce7a523fa6df0b7bfad7582861 @richmarr richmarr committed Apr 25, 2011
Showing with 2 additions and 2 deletions.
  1. +2 −2 lib/cookie-sessions.js
View
@@ -39,13 +39,13 @@ var exports = module.exports = function(settings){
if ("cookie" in req.headers) {
cookiestr = escape(s.session_key) + '='
+ '; expires=' + exports.expires(0)
- + '; path=/';
+ + '; path=/; HttpOnly';
}
} else {
cookiestr = escape(s.session_key) + '='
+ escape(exports.serialize(s.secret, req.session))
+ '; expires=' + exports.expires(s.timeout)
- + '; path=/';
+ + '; path=/; HttpOnly';
}
if (cookiestr !== undefined) {

0 comments on commit 899a4a7

Please sign in to comment.