The page http://www.codinghorror.com/blog/archives/001167.html explains why making HttpOnly cookies is a good idea
How do I set this property in RubyOnRails
The page http://www.codinghorror.com/blog/archives/001167.html explains why making HttpOnly cookies is a good idea
How do I set this property in RubyOnRails
Set the 'http_only' option in the hash used to set a cookie
e.g.
cookies["user_name"] = { :value => "david", :http_only => true }
I also wrote a patch that is included in Rails 2.2, which defaults the CookieStore session to be http_only.
Unfortunately session cookies are still by default regular cookies.