From 2675e9d229f5c457869d661661348ce3c6e8b543 Mon Sep 17 00:00:00 2001
From: kelson <kelson@shysecurity.com>
Date: Tue, 18 Aug 2015 10:23:29 -0400
Subject: [PATCH 1/2] added default HttpOnly cookies

---
 gluon/globals.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/gluon/globals.py b/gluon/globals.py
index 644a6b83..23f704b0 100644
--- a/gluon/globals.py
+++ b/gluon/globals.py
@@ -1023,10 +1023,16 @@ class Session(Storage):
     def _fixup_before_save(self):
         response = current.response
         rcookies = response.cookies
-        if self._forget and response.session_id_name in rcookies:
+        scookies = rcookies.get(response.session_id_name)
+        if not scookies:
+            return
+        if self._forget:
             del rcookies[response.session_id_name]
-        elif self._secure and response.session_id_name in rcookies:
-            rcookies[response.session_id_name]['secure'] = True
+            return
+        if not self._js_cookies:
+            scookies['HttpOnly'] = True
+        if self._secure:
+            scookies['secure'] = True
 
     def clear_session_cookies(self):
         request = current.request

From cf20ce5faef6d0ae95bda49e69a1d81fc15a2d49 Mon Sep 17 00:00:00 2001
From: kelson <kelson@shysecurity.com>
Date: Tue, 18 Aug 2015 12:25:13 -0400
Subject: [PATCH 2/2] _js_cookies => not httponly_cookies

---
 gluon/globals.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gluon/globals.py b/gluon/globals.py
index 23f704b0..3fbe42ba 100644
--- a/gluon/globals.py
+++ b/gluon/globals.py
@@ -1029,7 +1029,7 @@ class Session(Storage):
         if self._forget:
             del rcookies[response.session_id_name]
             return
-        if not self._js_cookies:
+        if self.get('httponly_cookies',True):
             scookies['HttpOnly'] = True
         if self._secure:
             scookies['secure'] = True