Add HttpOnly flag to Set-Cookie #200

rdiffweb/controller/tests/test_page_login.py

@@ -34,6 +34,14 @@ def test_getpage(self):
         self.assertStatus('303 See Other')
         self.assertHeaderItemValue('Location', self.baseurl + '/login/?redirect=%2F')
 
+    def test_cookie_http_only(self):
+        # Given a request made to rdiffweb
+        # When receiving the response
+        self.getPage('/')
+        # Then the header contains Set-Cookie with HttpOnly
+        cookie = self.assertHeader('Set-Cookie')
+        self.assertIn('HttpOnly', cookie)
+
     def test_getpage_with_plaintext(self):
         """
         Requesting plain text without being authenticated should show the login form.

rdiffweb/rdw_app.py

@@ -195,6 +195,7 @@ def __init__(self, cfg):
                 'tools.sessions.debug': cfg.debug,
                 'tools.sessions.storage_class': session_storage_class,
                 'tools.sessions.storage_path': self._session_dir,
+                'tools.sessions.httponly': True,
                 'tools.ratelimit.debug': cfg.debug,
                 'tools.ratelimit.delay': 60,
                 'tools.ratelimit.anonymous_limit': cfg.rate_limit,