improved session cookies to always enable the HttpOnly flag and remov…

…ed experimental status from group feature of Mojolicious::Lite
mojolicious · Dec 27, 2011 · e176d3b · e176d3b
1 parent 39ddb89
commit e176d3b
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 4 deletions.
diff --git a/Changes b/Changes
@@ -1,10 +1,14 @@
 This file documents the revision history for Perl extension Mojolicious.
 
 2.41    2011-12-28 00:00:00
+        - Removed experimental status from group feature of
+          Mojolicious::Lite.
         - Removed experimental status from Mojo::Collection.
         - Removed experimental status from Mojolicious::Plugin::Mount.
         - Removed experimental status from dnt and etag methods in
           Mojo::Headers.
+        - Improved session cookies to always enable the HttpOnly flag.
+          (nwatkiss, sri)
         - Improved documentation.
 
 2.40    2011-12-24 00:00:00

diff --git a/lib/Mojolicious/Lite.pm b/lib/Mojolicious/Lite.pm
@@ -868,8 +868,7 @@ more argument variations.
 
   group {...};
 
-Start a new route group. Note that this function is EXPERIMENTAL and might
-change without warning!
+Start a new route group.
 
 =head2 C<helper>
 

diff --git a/lib/Mojolicious/Sessions.pm b/lib/Mojolicious/Sessions.pm
@@ -70,7 +70,8 @@ sub store {
   }
 
   # Options
-  my $options = {expires => $expires, path => $self->cookie_path};
+  my $options =
+    {expires => $expires, httponly => 1, path => $self->cookie_path};
   my $domain = $self->cookie_domain;
   $options->{domain} = $domain if $domain;
   $options->{secure} = 1       if $self->secure;

diff --git a/t/mojolicious/group_lite_app.t b/t/mojolicious/group_lite_app.t
@@ -8,7 +8,7 @@ BEGIN {
   $ENV{MOJO_IOWATCHER} = 'Mojo::IOWatcher';
 }
 
-use Test::More tests => 152;
+use Test::More tests => 153;
 
 # "Let's see how crazy I am now, Nixon. The correct answer is very."
 use Mojo::ByteStream 'b';
@@ -231,6 +231,8 @@ $t->get_ok('/bridge2stash' => {'X-Flash' => 1})->status_is(200)
 $t->get_ok('/bridge2stash')->status_is(200)
   ->content_is(
   "stash too!cookie!signed_cookie!!bad_cookie--12345678!session!flash!/!\n");
+is $t->tx->res->cookie('mojolicious')->httponly, 1,
+  'session cookie has HttpOnly flag';
 
 # GET /bridge2stash (broken session cookie)
 $t->reset_session;