Bug 368502 - "Bugzilla_logincookie should not be accessible via javascript" [p=reed r+a=mkanat]

1 files changed, 6 insertions, 3 deletions

diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm
index 3faa892ae..4928068e5 100644
--- a/Bugzilla/Auth/Persist/Cookie.pm
+++ b/Bugzilla/Auth/Persist/Cookie.pm
@@ -76,17 +76,20 @@ sub persist_login {
     {
         $cgi->send_cookie(-name => 'Bugzilla_login',
                           -value => $user->id,
+                          -httponly => 1,
                           -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
         $cgi->send_cookie(-name => 'Bugzilla_logincookie',
                           -value => $login_cookie,
+                          -httponly => 1,
                           -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
-
     }
     else {
         $cgi->send_cookie(-name => 'Bugzilla_login',
-                          -value => $user->id);
+                          -value => $user->id,
+                          -httponly => 1);
         $cgi->send_cookie(-name => 'Bugzilla_logincookie',
-                          -value => $login_cookie);
+                          -value => $login_cookie,
+                          -httponly => 1);
     }
 }