Make the generated cookies httponly

app/helpers/casino/sessions_helper.rb

@@ -38,7 +38,7 @@ def sign_in(authentication_result, options = {})
   end
 
   def set_tgt_cookie(tgt)
-    cookies[:tgt] = { value: tgt.ticket }.tap do |cookie|
+    cookies[:tgt] = { value: tgt.ticket, httponly: true}.tap do |cookie|
       if tgt.long_term?
         cookie[:expires] = CASino.config.ticket_granting_ticket[:lifetime_long_term].seconds.from_now
       end

spec/controllers/sessions_controller_spec.rb

@@ -369,6 +369,12 @@
             ticket_granting_ticket.reload.should_not be_awaiting_two_factor_authentication
           end
 
+          it 'creates an httponly cookie' do
+            controller.stub(:cookies).and_return(HashWithIndifferentAccess.new)
+            post :validate_otp, request_options
+            controller.cookies['tgt']['httponly'].should be(true)
+          end
+
           context 'with a long-term ticket-granting ticket' do
             let(:cookie_jar) { HashWithIndifferentAccess.new }