Hi, In a security review of our application I realized that the the CookieStore cookie wasn't using a HttpOnly cookie. I thought I had seen HttpOnly cookies somewhere in rails and found that Rails cookie support does support it, it was never brought forward to the actual CookieStore.
While the cookie store is tamper proof. Abusive Javascript could still remove the session cookie or cause a TamperedWithCookie exception.
This patch exposes a configuration parameter :session_http_only which defaults to true. This sets the HttpOnly flag on the cookie from the CookieStore.
The patch itself is pretty simple and allows you to turn off HttpOnly if necessary.
Pelle
