From eaaac621653d216d72d3757215bab38c58c85314 Mon Sep 17 00:00:00 2001
From: Ben Adida <ben@adida.net>
Date: Fri, 30 Dec 2011 08:40:36 -0800
Subject: [PATCH] added httponly true by default, updated readme

---
 README.md             |  2 +-
 lib/cookie-session.js | 13 +++++++++++++
 test/all-test.js      |  3 +++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index bdb1bd9..4bf14ce 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ API
         cookie: {
           path: '/api',
           httpOnly: true, // defaults to true
-          secure: true    // defaults to true
+          secure: false   // defaults to false
         }
       }));
 
diff --git a/lib/cookie-session.js b/lib/cookie-session.js
index 3c2311a..7e86037 100644
--- a/lib/cookie-session.js
+++ b/lib/cookie-session.js
@@ -193,6 +193,19 @@ var cookieSession = function(opts) {
   
   opts.cookieName = opts.cookieName || "session";
 
+  // set up cookie defaults
+  opts.cookie = opts.cookie || {};
+  if (typeof(opts.cookie.httpOnly) == 'undefined')
+    opts.cookie.httpOnly = true;
+  
+  // let's not default to secure just yet,
+  // as this depends on the socket being secure,
+  // which is tricky to determine if proxied.
+  /*
+  if (typeof(opts.cookie.secure) == 'undefined')
+    opts.cookie.secure = true;
+    */
+
   // support for maxAge
   if (opts.cookie.maxAge) {
     opts.cookie.expires = new Date(new Date().getTime() + opts.cookie.maxAge);
diff --git a/test/all-test.js b/test/all-test.js
index a7c59ca..3198340 100644
--- a/test/all-test.js
+++ b/test/all-test.js
@@ -86,6 +86,9 @@ suite.addBatch({
     },
     "with a path attribute": function(err, res) {
       assert.match(res.headers['set-cookie'][0], /path/);
+    },
+    "with an httpOnly attribute": function(err, res) {
+      assert.match(res.headers['set-cookie'][0], /httponly/);
     }
   }
 });