JamesFerguson/environment.rb

## environment.rb
# config/environment.rb
# ...
Dir[Rails.root + 'lib/monkey_patches/**/*.rb'].each { |file| require file }
# ...

## rememberable.rb
# lib/monkey_patches/devise/hooks/rememberable.rb
# monkey patch to make remember_#{scope}_token cookie be ':httponly => true'
module Devise
  module Hooks
    module Rememberable
      def success!(resource)
        super

        if succeeded? && resource.respond_to?(:remember_me!) && remember_me?
          resource.remember_me!(extend_remember_period?)

          configuration = {
            :value => resource.class.serialize_into_cookie(resource),
            :expires => resource.remember_expires_at,
            :path => "/",
            :httponly => true
          }

          configuration[:domain] = resource.cookie_domain if resource.cookie_domain?
          cookies.signed["remember_#{scope}_token"] = configuration

        end
      end
    end
  end
end

## sessions_controller_spec.rb
# spec/controllers/devise/sessions_controller_spec.rb
require 'spec_helper'

describe Devise::SessionsController do
  before(:each) do
    request.env['devise.mapping'] = Devise.mappings[:user]
  end

  describe "POST create" do
    it "sets an HttpOnly remember me cookie when the user checks 'Remember Me'" do
      @mock_user = mock_model(User, :valid_for_authentication? => true, :to_int => 1001).as_null_object
      User.stub(:find).and_return(@mock_user)

      post :create, :user => { :email => "x@y.com", :password => "1234567890", :remember_me => "1" }
      assert_match /remember_user_token[^\n]*HttpOnly/, response.headers["Set-Cookie"]
    end
  end
end
	# config/environment.rb
	# ...
	Dir[Rails.root + 'lib/monkey_patches/*/.rb'].each { \|file\| require file }
	# ...
	# lib/monkey_patches/devise/hooks/rememberable.rb
	# monkey patch to make remember_#{scope}_token cookie be ':httponly => true'
	module Devise
	module Hooks
	module Rememberable
	def success!(resource)
	super

	if succeeded? && resource.respond_to?(:remember_me!) && remember_me?
	resource.remember_me!(extend_remember_period?)

	configuration = {
	:value => resource.class.serialize_into_cookie(resource),
	:expires => resource.remember_expires_at,
	:path => "/",
	:httponly => true
	}

	configuration[:domain] = resource.cookie_domain if resource.cookie_domain?
	cookies.signed["remember_#{scope}_token"] = configuration

	end
	end
	end
	end
	end
	# spec/controllers/devise/sessions_controller_spec.rb
	require 'spec_helper'

	describe Devise::SessionsController do
	before(:each) do
	request.env['devise.mapping'] = Devise.mappings[:user]
	end

	describe "POST create" do
	it "sets an HttpOnly remember me cookie when the user checks 'Remember Me'" do
	@mock_user = mock_model(User, :valid_for_authentication? => true, :to_int => 1001).as_null_object
	User.stub(:find).and_return(@mock_user)

	post :create, :user => { :email => "x@y.com", :password => "1234567890", :remember_me => "1" }
	assert_match /remember_user_token[^\n]*HttpOnly/, response.headers["Set-Cookie"]
	end
	end
	end