From 128ab8f7c89758a8d810a4aac69ce9c341d33497 Mon Sep 17 00:00:00 2001
From: Patrik Dufresne <patrik@ikus-soft.com>
Date: Thu, 16 Jun 2022 19:22:49 +0000
Subject: [PATCH] Add HttpOnly flag to Set-Cookie #200

---
 rdiffweb/controller/tests/test_page_login.py | 8 ++++++++
 rdiffweb/rdw_app.py                          | 1 +
 2 files changed, 9 insertions(+)

diff --git a/rdiffweb/controller/tests/test_page_login.py b/rdiffweb/controller/tests/test_page_login.py
index 4cfea7c7..90bb6a07 100644
--- a/rdiffweb/controller/tests/test_page_login.py
+++ b/rdiffweb/controller/tests/test_page_login.py
@@ -34,6 +34,14 @@ def test_getpage(self):
         self.assertStatus('303 See Other')
         self.assertHeaderItemValue('Location', self.baseurl + '/login/?redirect=%2F')
 
+    def test_cookie_http_only(self):
+        # Given a request made to rdiffweb
+        # When receiving the response
+        self.getPage('/')
+        # Then the header contains Set-Cookie with HttpOnly
+        cookie = self.assertHeader('Set-Cookie')
+        self.assertIn('HttpOnly', cookie)
+
     def test_getpage_with_plaintext(self):
         """
         Requesting plain text without being authenticated should show the login form.
diff --git a/rdiffweb/rdw_app.py b/rdiffweb/rdw_app.py
index 85e61926..520fcd5d 100644
--- a/rdiffweb/rdw_app.py
+++ b/rdiffweb/rdw_app.py
@@ -195,6 +195,7 @@ def __init__(self, cfg):
                 'tools.sessions.debug': cfg.debug,
                 'tools.sessions.storage_class': session_storage_class,
                 'tools.sessions.storage_path': self._session_dir,
+                'tools.sessions.httponly': True,
                 'tools.ratelimit.debug': cfg.debug,
                 'tools.ratelimit.delay': 60,
                 'tools.ratelimit.anonymous_limit': cfg.rate_limit,