From b3453c494ebdf866a0e51cf76ce899efaba92159 Mon Sep 17 00:00:00 2001
From: Benjamin Neff <benjamin@coding4coffee.ch>
Date: Wed, 31 Aug 2016 01:22:52 +0200
Subject: [PATCH] make session-cookie HttpOnly

closes #7041
---
 Changelog.md                         | 1 +
 config/initializers/session_store.rb | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/Changelog.md b/Changelog.md
index fd450d5b96..913572c289 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -3,6 +3,7 @@
 ## Refactor
 * Indicate proper way to report bugs in the sidebar [#7039](https://github.com/diaspora/diaspora/pull/7039)
 * Remove text color from notification mails and fix sender avatar [#7054](https://github.com/diaspora/diaspora/pull/7054)
+* Make the session cookies HttpOnly again [#7041](https://github.com/diaspora/diaspora/pull/7041)
 
 ## Bug fixes
 
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index d2e9c4e292..06360f9d29 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -1,3 +1,3 @@
 # Be sure to restart your server when you modify this file.
 
-Diaspora::Application.config.session_store :cookie_store, key: '_diaspora_session', httponly: false
+Diaspora::Application.config.session_store :cookie_store, key: "_diaspora_session", httponly: true
-- 
GitLab