Set HttpOnly for cookies using :http_only

2 files changed, 13 insertions, 1 deletions

diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
index 0c7091e3..43bbef37 100644
--- a/lib/rack/utils.rb
+++ b/lib/rack/utils.rb
@@ -274,7 +274,7 @@ module Rack
         expires = "; expires=" +
           rfc2822(value[:expires].clone.gmtime) if value[:expires]
         secure = "; secure"  if value[:secure]
-        httponly = "; HttpOnly" if value[:httponly]
+        httponly = "; HttpOnly" if (value.key?(:httponly) ? value[:httponly] : value[:http_only])
         value = value[:value]
       end
       value = [value] unless Array === value
diff --git a/test/spec_response.rb b/test/spec_response.rb
index 0ba17b15..12b8b7b3 100644
--- a/test/spec_response.rb
+++ b/test/spec_response.rb
@@ -85,6 +85,18 @@ describe Rack::Response do
     response["Set-Cookie"].should.equal "foo=bar; HttpOnly"
   end
 
+  it "can set http only cookies with :http_only" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :http_only => true}
+    response["Set-Cookie"].should.equal "foo=bar; HttpOnly"
+  end
+
+  it "can set prefers :httponly for http only cookie setting when :httponly and :http_only provided" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :httponly => false, :http_only => true}
+    response["Set-Cookie"].should.equal "foo=bar"
+  end
+
   it "can delete cookies" do
     response = Rack::Response.new
     response.set_cookie "foo", "bar"