diff --git a/app/helpers/casino/sessions_helper.rb b/app/helpers/casino/sessions_helper.rb index 13d27d74..904d7fd8 100644 --- a/app/helpers/casino/sessions_helper.rb +++ b/app/helpers/casino/sessions_helper.rb @@ -39,7 +39,7 @@ def sign_in(authentication_result, options = {}) end def set_tgt_cookie(tgt) - cookies[:tgt] = { value: tgt.ticket }.tap do |cookie| + cookies[:tgt] = { value: tgt.ticket, httponly: !!CASino.config.httponly_tgt_cookies }.tap do |cookie| if tgt.long_term? cookie[:expires] = CASino.config.ticket_granting_ticket[:lifetime_long_term].seconds.from_now end diff --git a/lib/casino.rb b/lib/casino.rb index e15bac79..5a033bcc 100644 --- a/lib/casino.rb +++ b/lib/casino.rb @@ -7,6 +7,7 @@ module CASino defaults = { authenticators: HashWithIndifferentAccess.new, require_service_rules: false, + httponly_tgt_cookies: false, logger: Rails.logger, frontend: HashWithIndifferentAccess.new( sso_name: 'CASino', diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb index 79ecb3f8..efa9d9b6 100644 --- a/spec/controllers/sessions_controller_spec.rb +++ b/spec/controllers/sessions_controller_spec.rb @@ -258,6 +258,24 @@ tgt = CASino::TicketGrantingTicket.last tgt.long_term.should == true end + + it 'creates a cookie that is not httponly by default' do + post :create, params + controller.cookies['tgt']['httponly'].should be(false) + end + + context 'when we are configured for http_only_tgt_cookies' do + before do + CASino.config.httponly_tgt_cookies = true + end + after do + CASino.config.httponly_tgt_cookies = false + end + it 'creates an httponly cookie' do + post :create, params + controller.cookies['tgt']['httponly'].should be(true) + end + end end context 'with two-factor authentication enabled' do