From 5d095bced471ac49d88f3d6756a939fddd710a74 Mon Sep 17 00:00:00 2001
From: Nick Muerdter <nick.muerdter@nrel.gov>
Date: Fri, 10 Apr 2015 18:41:14 -0600
Subject: [PATCH] Set secure and httponly flags on admin session cookie.

These help prevent session sidejacking or mitigate the impact of
potential XSS issues.
---
 config/initializers/session_store.rb | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 872c2c4b..593ae4cf 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -1,6 +1,14 @@
 # Be sure to restart your server when you modify this file.
 
-ApiUmbrella::Application.config.session_store :cookie_store, :key => '_api_umbrella_session'
+ApiUmbrella::Application.config.session_store(:cookie_store, {
+  :key => "_api_umbrella_session",
+
+  # Don't allow cookies to be accessed by javascript.
+  :httponly => true,
+
+  # Use secure cookies to prevent sidejacking.
+  :secure => !["development", "test"].include?(Rails.env),
+})
 
 # Use the database for sessions instead of the cookie-based default,
 # which shouldn't be used to store highly confidential information