search

mozilla / node-client-sessions

secure sessions stored in cookies
Mozilla Public License 2.0
759 stars 104 forks source link

httpOnly option not respected #87

Closed timemachine3030 closed 10 years ago

timemachine3030 commented 10 years ago

Code to reproduce:

'use strict';
var restify = require('restify'); 
var sessions = require('client-sessions');

var server = restify.createServer({
   name: 'test-sessions',
   version: '0.0.1'
});

server.use(sessions({
    cookieName: 'session',
    secret: 'example',
    httpOnly: false,
    duration: 24 * 60 * 60 * 1000
}));

server.get('/status', function (req, res, next) {
    req.session.username = 'timemachine';
    res.send(200, {
        status: 'Hello World!!!!'
    });
    next();
});

server.listen(3000);
console.log('Restify server listening on port: ' + 3000);

Installed Libraries:

restify@2.8.2 client-sessions@0.6.0 cookies@0.3.8

Steps to reproduce:

start server: node server.js GET /status: curl --include http://localhost:3000/status

Expected results

Set-Cookie does not contain httponly

Actual results

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 28
Set-Cookie: session=[...]; path=/; expires=Wed, 13 Aug 2014 15:29:05 GMT; httponly
Date: Tue, 12 Aug 2014 15:29:04 GMT
Connection: keep-alive

{"status":"Hello World!!!!"}

Additional notes

I also tried to spell it in all lowercase: httponly

Thank you for you attention in this!

seanmonstar commented 10 years ago

The httpOnly option goes in a cookie object. It's not an option for client-sessions, but for cookies. See the second code block in the README.