In a security review of our application I realized that the the
CookieStore cookie wasn't using a HttpOnly cookie. I thought I had
seen HttpOnly cookies somewhere in rails and found that Rails cookie
support does support it, it was never brought forward to the actual
remove the session cookie or cause a TamperedWithCookie exception.
This patch exposes a configuration parameter :session_http_only which
defaults to true. This sets the HttpOnly flag on the cookie from the
The patch itself is pretty simple and allows you to turn off HttpOnly