Please review my http_only patch for the CookieStore

In a security review of our application I realized that the the
CookieStore cookie wasn't using a HttpOnly cookie. I thought I had
seen HttpOnly cookies somewhere in rails and found that Rails cookie
support does support it, it was never brought forward to the actual

While the cookie store is tamper proof. Abusive Javascript could still
remove the session cookie or cause a TamperedWithCookie exception.

This patch exposes a configuration parameter :session_http_only which
defaults to true. This sets the HttpOnly flag on the cookie from the

The patch itself is pretty simple and allows you to turn off HttpOnly
if necessary.