Merge pull request #1046 from ShySec/master

added default HttpOnly cookies
2015-08-18 11:53:54 -05:00
parent 93237837ed cf20ce5fae
commit 47c0e461f1
1 changed files with 9 additions and 3 deletions
--- a/gluon/globals.py
+++ b/gluon/globals.py
@@ -1023,10 +1023,16 @@ class Session(Storage):
    def _fixup_before_save(self):
        response = current.response
        rcookies = response.cookies
-        if self._forget and response.session_id_name in rcookies:
+        scookies = rcookies.get(response.session_id_name)
+        if not scookies:
+            return
+        if self._forget:
            del rcookies[response.session_id_name]
-        elif self._secure and response.session_id_name in rcookies:
-            rcookies[response.session_id_name]['secure'] = True
+            return
+        if self.get('httponly_cookies',True):
+            scookies['HttpOnly'] = True
+        if self._secure:
+            scookies['secure'] = True

    def clear_session_cookies(self):
        request = current.request