SONAR-4487 the "remember me" cookie must also be flagged HttpOnly

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
index 49979d701cf635cf9d745c12becd22b3e0ec1908..36c69d5ed1ba5927a2abdf28b217b440fe51eb23 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
@@ -31,7 +31,7 @@ class SessionsController < ApplicationController
     if logged_in?
       if params[:remember_me] == '1'
         self.current_user.remember_me
-        cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at }
+        cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at, :http_only => true }
       end
       redirect_back_or_default(home_url)
     else

diff --git a/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb b/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb
index 140b12ea41a674c16883d228209826418c972527..5f6f661a660bf9556aa02b7c7298a27e5e95298b 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb
@@ -197,7 +197,8 @@ module AuthenticatedSystem
   def send_remember_cookie!
     cookies[:auth_token] = {
       :value   => @current_user.remember_token,
-      :expires => @current_user.remember_token_expires_at }
+      :expires => @current_user.remember_token_expires_at,
+      :http_only => true }
   end
 
 end