From adde7cf9216f9a0ccf78409078838d826d816f4a Mon Sep 17 00:00:00 2001
From: Simon Brandhof <simon.brandhof@gmail.com>
Date: Wed, 14 Aug 2013 17:27:45 +0200
Subject: [PATCH] SONAR-4487 the "remember me" cookie must also be flagged
 HttpOnly

---
 .../main/webapp/WEB-INF/app/controllers/sessions_controller.rb | 2 +-
 .../src/main/webapp/WEB-INF/lib/authenticated_system.rb        | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
index 49979d701cf..36c69d5ed1b 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
@@ -31,7 +31,7 @@ class SessionsController < ApplicationController
     if logged_in?
       if params[:remember_me] == '1'
         self.current_user.remember_me
-        cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at }
+        cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at, :http_only => true }
       end
       redirect_back_or_default(home_url)
     else
diff --git a/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb b/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb
index 140b12ea41a..5f6f661a660 100644
--- a/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb
@@ -197,7 +197,8 @@ module AuthenticatedSystem
   def send_remember_cookie!
     cookies[:auth_token] = {
       :value   => @current_user.remember_token,
-      :expires => @current_user.remember_token_expires_at }
+      :expires => @current_user.remember_token_expires_at,
+      :http_only => true }
   end
 
 end
-- 
2.39.5