From 3b5782ea83aa8062754a9d983b15f87317ba6c1b Mon Sep 17 00:00:00 2001
From: Brian Sutherland <brian@vanguardistas.net>
Date: Fri, 17 Dec 2010 09:21:03 +0100
Subject: [PATCH] When the auth_tkt plugin is passed secure=True, add HttpOnly to the cookie.

---
 repoze/who/plugins/auth_tkt.py |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/repoze/who/plugins/auth_tkt.py b/repoze/who/plugins/auth_tkt.py
index ec83eb8..9d44e38 100644
--- a/repoze/who/plugins/auth_tkt.py
+++ b/repoze/who/plugins/auth_tkt.py
@@ -172,7 +172,7 @@
 
         secure = ''
         if self.secure:
-            secure = '; secure'
+            secure = '; secure; HttpOnly'
 
         cur_domain = environ.get('HTTP_HOST', environ.get('SERVER_NAME'))
         wild_domain = '.' + cur_domain

--
Gitblit v1.9.3