added httponly true by default, updated readme

2011-12-30 08:40:36 -08:00 · 2011-12-30 08:40:36 -08:00 · eaaac62165
--- a/README.md
+++ b/README.md
@ -22,7 +22,7 @@ API
        cookie: {
          path: '/api',
          httpOnly: true, // defaults to true
-          secure: true    // defaults to true
+          secure: false   // defaults to false
        }
      }));

--- a/lib/cookie-session.js
+++ b/lib/cookie-session.js
@ -193,6 +193,19 @@ var cookieSession = function(opts) {
  
  opts.cookieName = opts.cookieName || "session";

+  // set up cookie defaults
+  opts.cookie = opts.cookie || {};
+  if (typeof(opts.cookie.httpOnly) == 'undefined')
+    opts.cookie.httpOnly = true;
+  
+  // let's not default to secure just yet,
+  // as this depends on the socket being secure,
+  // which is tricky to determine if proxied.
+  /*
+  if (typeof(opts.cookie.secure) == 'undefined')
+    opts.cookie.secure = true;
+    */
+
  // support for maxAge
  if (opts.cookie.maxAge) {
    opts.cookie.expires = new Date(new Date().getTime() + opts.cookie.maxAge);
--- a/test/all-test.js
+++ b/test/all-test.js
@ -86,6 +86,9 @@ suite.addBatch({
    },
    "with a path attribute": function(err, res) {
      assert.match(res.headers['set-cookie'][0], /path/);
+    },
+    "with an httpOnly attribute": function(err, res) {
+      assert.match(res.headers['set-cookie'][0], /httponly/);
    }
  }
 });