Don't allow Javascript access to login cookie

salilab · Dec 20, 2021 · 715e1f9 · 715e1f9
1 parent 070b093
commit 715e1f9
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/account/account/util.py b/account/account/util.py
@@ -47,7 +47,8 @@ def set_servers_cookie_info(cookie, permanent):
     def add_cookie(response):
         response.set_cookie(key='sali-servers',
                             value='user_name&%s&session&%s' % (user, pwhash),
-                            secure=True, max_age=age, expires=expires)
+                            secure=True, httponly=True, max_age=age,
+                            expires=expires)
         return response
 
 

diff --git a/account/test/test_main.py b/account/test/test_main.py
@@ -47,7 +47,7 @@ def test_good_log_in_temporary():
     assert r.search(rv.data)
     assert (rv.headers['Set-Cookie'] ==
             'sali-servers=user_name&authuser&session&'
-            'bce42b481e4c5f9012ad7da17c7c141b; Secure; Path=/')
+            'bce42b481e4c5f9012ad7da17c7c141b; Secure; HttpOnly; Path=/')
 
 
 def test_good_log_in_permanent():
@@ -181,7 +181,7 @@ def test_register_ok():
     assert rv.status_code == 302  # redirect to index page
     assert (rv.headers['Set-Cookie'] ==
             'sali-servers=user_name&newuser&session&'
-            '25d55ad283aa400af464c76d713c07ad; Secure; Path=/')
+            '25d55ad283aa400af464c76d713c07ad; Secure; HttpOnly; Path=/')
 
 
 def test_logout():