SONAR-4487 the "remember me" cookie must also be flagged HttpOnly

2 files changed, 3 insertions, 2 deletions

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
index 49979d701cf..36c69d5ed1b 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
@@ -31,7 +31,7 @@ class SessionsController < ApplicationController
     if logged_in?
       if params[:remember_me] == '1'
         self.current_user.remember_me
-        cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at }
+        cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at, :http_only => true }
       end
       redirect_back_or_default(home_url)
     else
diff --git a/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb b/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb
index 140b12ea41a..5f6f661a660 100644
--- a/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb
@@ -197,7 +197,8 @@ module AuthenticatedSystem
   def send_remember_cookie!
     cookies[:auth_token] = {
       :value   => @current_user.remember_token,
-      :expires => @current_user.remember_token_expires_at }
+      :expires => @current_user.remember_token_expires_at,
+      :http_only => true }
   end
 
 end