Merge pull request hapijs#828 from spumko/issue/807

Add HttpOnly support to cookie auth
jmonster · May 7, 2013 · 5270085 · 5270085
2 parents 1fd96b2 + e37f42f
commit 5270085
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 3 deletions.
diff --git a/docs/Reference.md b/docs/Reference.md
@@ -923,6 +923,7 @@ of the cookie content can use it to impersonate its true owner. The `'cookie`' s
 - `ttl` - sets the cookie expires time in milliseconds. Defaults to single browser session (ends when browser closes).
 - `clearInvalid` - if `true`, any authentication cookie that fails validation will be marked as expired in the response and cleared. Defaults to `false`.
 - `isSecure` - if `false`, the cookie is allowed to be transmitted over insecure connections which exposes it to attacks. Defaults to `true`.
+- `isHttpOnly` - if `false`, the cookie will not include the 'HttpOnly' flag. Defaults to `true`.
 - `redirectTo` - optional login URI to redirect unauthenticated requests to. Defaults to no redirection.
 - `appendNext` - if `true` and `redirectTo` is `true`, appends the current request path to the query component of the `redirectTo` URI using the
   parameter name `'next'`. Set to a string to use a different parameter name. Defaults to `false`.

diff --git a/lib/auth/cookie.js b/lib/auth/cookie.js
@@ -27,7 +27,8 @@ exports = module.exports = internals.Scheme = function (server, options) {
         encoding: 'iron',
         password: this.settings.password,
         isSecure: this.settings.isSecure !== false,                 // Defaults to true
-        path: '/'
+        path: '/',
+        isHttpOnly: this.settings.isHttpOnly !== false              // Defaults to true
     };
 
     if (this.settings.ttl) {

diff --git a/test/integration/auth.js b/test/integration/auth.js
@@ -1309,7 +1309,7 @@ describe('Auth', function () {
 
                     expect(res.statusCode).to.equal(200);
                     expect(res.result).to.equal('logged-out');
-                    expect(res.headers['set-cookie'][0]).to.equal('special=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; Path=/');
+                    expect(res.headers['set-cookie'][0]).to.equal('special=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; Path=/');
                     done();
                 });
             });
@@ -1327,7 +1327,7 @@ describe('Auth', function () {
 
                 server.inject({ method: 'GET', url: '/resource', headers: { cookie: 'special=' + cookie[1] } }, function (res) {
 
-                    expect(res.headers['set-cookie'][0]).to.equal('special=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; Path=/');
+                    expect(res.headers['set-cookie'][0]).to.equal('special=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; Path=/');
                     expect(res.statusCode).to.equal(401);
                     done();
                 });