tomtaylor/gist:14086

## gistfile1.rbx
# For what I have done, please forgive me.
# This monkey patch adds in the HttpOnly support for the session cookie
# This is present and accepted into Rails 2.2 at the time of writing, but not in Rails 2.1.
# You can remove this and set HttpOnly properly when moving to Rails 2.2

module ActionController
  class RackRequest
    DEFAULT_SESSION_OPTIONS = {
      :database_manager => CGI::Session::CookieStore, # store data in cookie
      :prefix           => "ruby_sess.",    # prefix session file names
      :session_path     => "/",             # available to all paths in app
      :session_key      => "_session_id",
      :cookie_only      => true,
      :session_http_only=> true
    }
  end

  class CgiRequest
    DEFAULT_SESSION_OPTIONS = {
      :database_manager => CGI::Session::CookieStore, # store data in cookie
      :prefix           => "ruby_sess.",    # prefix session file names
      :session_path     => "/",             # available to all paths in app
      :session_key      => "_session_id",
      :cookie_only      => true,
      :session_http_only=> true
    }
  end
end

class CGI::Session::CookieStore

  def initialize(session, options = {})
    # The session_key option is required.
    if options['session_key'].blank?
      raise ArgumentError, 'A session_key is required to write a cookie containing the session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb'
    end

    # The secret option is required.
    ensure_secret_secure(options['secret'])

    # Keep the session and its secret on hand so we can read and write cookies.
    @session, @secret = session, options['secret']

    # Message digest defaults to SHA1.
    @digest = options['digest'] || 'SHA1'

    # Default cookie options derived from session settings.
    @cookie_options = {
      'name'    => options['session_key'],
      'path'    => options['session_path'],
      'domain'  => options['session_domain'],
      'expires' => options['session_expires'],
      'secure'  => options['session_secure'],
      'http_only' => options['session_http_only']
    }

    # Set no_hidden and no_cookies since the session id is unused and we
    # set our own data cookie.
    options['no_hidden'] = true
    options['no_cookies'] = true
  end
end
	# For what I have done, please forgive me.
	# This monkey patch adds in the HttpOnly support for the session cookie
	# This is present and accepted into Rails 2.2 at the time of writing, but not in Rails 2.1.
	# You can remove this and set HttpOnly properly when moving to Rails 2.2

	module ActionController
	class RackRequest
	DEFAULT_SESSION_OPTIONS = {
	:database_manager => CGI::Session::CookieStore, # store data in cookie
	:prefix => "ruby_sess.", # prefix session file names
	:session_path => "/", # available to all paths in app
	:session_key => "_session_id",
	:cookie_only => true,
	:session_http_only=> true
	}
	end

	class CgiRequest
	DEFAULT_SESSION_OPTIONS = {
	:database_manager => CGI::Session::CookieStore, # store data in cookie
	:prefix => "ruby_sess.", # prefix session file names
	:session_path => "/", # available to all paths in app
	:session_key => "_session_id",
	:cookie_only => true,
	:session_http_only=> true
	}
	end
	end

	class CGI::Session::CookieStore

	def initialize(session, options = {})
	# The session_key option is required.
	if options['session_key'].blank?
	raise ArgumentError, 'A session_key is required to write a cookie containing the session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb'
	end

	# The secret option is required.
	ensure_secret_secure(options['secret'])

	# Keep the session and its secret on hand so we can read and write cookies.
	@session, @secret = session, options['secret']

	# Message digest defaults to SHA1.
	@digest = options['digest'] \|\| 'SHA1'

	# Default cookie options derived from session settings.
	@cookie_options = {
	'name' => options['session_key'],
	'path' => options['session_path'],
	'domain' => options['session_domain'],
	'expires' => options['session_expires'],
	'secure' => options['session_secure'],
	'http_only' => options['session_http_only']
	}

	# Set no_hidden and no_cookies since the session id is unused and we
	# set our own data cookie.
	options['no_hidden'] = true
	options['no_cookies'] = true
	end
	end