rbCAS · elspethsoup · Feb 4, 2016 · Sep 19, 2016
diff --git a/app/helpers/casino/sessions_helper.rb b/app/helpers/casino/sessions_helper.rb
@@ -39,7 +39,7 @@ def sign_in(authentication_result, options = {})
   end
 
   def set_tgt_cookie(tgt)
-    cookies[:tgt] = { value: tgt.ticket }.tap do |cookie|
+    cookies[:tgt] = { value: tgt.ticket, httponly: !!CASino.config.httponly_tgt_cookies }.tap do |cookie|
       if tgt.long_term?
         cookie[:expires] = CASino.config.ticket_granting_ticket[:lifetime_long_term].seconds.from_now
       end

diff --git a/lib/casino.rb b/lib/casino.rb
@@ -7,6 +7,7 @@ module CASino
   defaults = {
     authenticators: HashWithIndifferentAccess.new,
     require_service_rules: false,
+    httponly_tgt_cookies: false,
     logger: Rails.logger,
     frontend: HashWithIndifferentAccess.new(
       sso_name: 'CASino',

diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
@@ -258,6 +258,24 @@
             tgt = CASino::TicketGrantingTicket.last
             tgt.long_term.should == true
           end
+
+          it 'creates a cookie that is not httponly by default' do
+            post :create, params
+            controller.cookies['tgt']['httponly'].should be(false)
+          end
+
+          context 'when we are configured for http_only_tgt_cookies' do
+            before do
+              CASino.config.httponly_tgt_cookies = true
+            end
+            after do
+              CASino.config.httponly_tgt_cookies = false
+            end
+            it 'creates an httponly cookie' do
+              post :create, params
+              controller.cookies['tgt']['httponly'].should be(true)
+            end
+          end
         end
 
         context 'with two-factor authentication enabled' do