WebSession: HttpOnly attribute in stub cookies

* Adds HttpOnly attribute to stub cookies as well. (addresses inveniosoftware#3064) Signed-off-by: Tibor Simko <[email protected]> Reviewed-by: Lars Holm Nielsen <[email protected]>
SCOAP3 · Jun 5, 2015 · bb7b779 · bb7b779
1 parent 951e2ce
commit bb7b779
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/modules/websession/lib/session.py b/modules/websession/lib/session.py
@@ -341,9 +341,9 @@ def make_cookies(self):
         cookies = []
         uid = self.get('uid', -1)
         if uid > 0 and CFG_SITE_SECURE_URL.startswith("https://"):
-            stub_cookie = Cookie(CFG_WEBSESSION_COOKIE_NAME + 'stub', 'HTTPS')
+            stub_cookie = Cookie(CFG_WEBSESSION_COOKIE_NAME + 'stub', 'HTTPS', HttpOnly=True)
         else:
-            stub_cookie = Cookie(CFG_WEBSESSION_COOKIE_NAME + 'stub', 'NO')
+            stub_cookie = Cookie(CFG_WEBSESSION_COOKIE_NAME + 'stub', 'NO', HttpOnly=True)
         cookies.append(stub_cookie)
         if self._req.is_https() or not CFG_SITE_SECURE_URL.startswith("https://") or uid <= 0:
             cookie = Cookie(CFG_WEBSESSION_COOKIE_NAME, self._sid)