From 8df7065b61cd7ab9a7ce9cd6646e334afaad5ec5 Mon Sep 17 00:00:00 2001
From: Phil Lee <asmega@users.noreply.github.com>
Date: Thu, 3 Oct 2024 12:21:14 +0100
Subject: [PATCH] accept cookie httponly

- this is only used server side so prevents client reading or tampering
---
 app/controllers/admin/cookies_controller.rb | 12 ++++++++----
 app/controllers/cookies_controller.rb       | 12 ++++++++----
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/app/controllers/admin/cookies_controller.rb b/app/controllers/admin/cookies_controller.rb
index 191f34b706..e5a999bb4b 100644
--- a/app/controllers/admin/cookies_controller.rb
+++ b/app/controllers/admin/cookies_controller.rb
@@ -2,7 +2,8 @@ class Admin::CookiesController < Admin::BaseAdminController
   def accept
     cookies.encrypted[:accept_cookies] = {
       value: {state: true, message: true}.to_json,
-      expires: 90.days.from_now
+      expires: 90.days.from_now,
+      httponly: true
     }
 
     respond_to do |format|
@@ -14,7 +15,8 @@ def accept
   def reject
     cookies.encrypted[:accept_cookies] = {
       value: {state: false, message: true}.to_json,
-      expires: 90.days.from_now
+      expires: 90.days.from_now,
+      httponly: true
     }
 
     respond_to do |format|
@@ -28,7 +30,8 @@ def hide
 
     cookies.encrypted[:accept_cookies] = {
       value: {state:, message: false}.to_json,
-      expires: 90.days.from_now
+      expires: 90.days.from_now,
+      httponly: true
     }
 
     redirect_to request.env["HTTP_REFERER"]
@@ -39,7 +42,8 @@ def update
 
     cookies.encrypted[:accept_cookies] = {
       value: {state: form.accept, message: true}.to_json,
-      expires: 90.days.from_now
+      expires: 90.days.from_now,
+      httponly: true
     }
 
     redirect_to admin_cookies_path
diff --git a/app/controllers/cookies_controller.rb b/app/controllers/cookies_controller.rb
index d202cc1389..61ae61178e 100644
--- a/app/controllers/cookies_controller.rb
+++ b/app/controllers/cookies_controller.rb
@@ -4,7 +4,8 @@ class CookiesController < BasePublicController
   def accept
     cookies.encrypted[:accept_cookies] = {
       value: {state: true, message: true}.to_json,
-      expires: 90.days.from_now
+      expires: 90.days.from_now,
+      httponly: true
     }
 
     respond_to do |format|
@@ -16,7 +17,8 @@ def accept
   def reject
     cookies.encrypted[:accept_cookies] = {
       value: {state: false, message: true}.to_json,
-      expires: 90.days.from_now
+      expires: 90.days.from_now,
+      httponly: true
     }
 
     respond_to do |format|
@@ -30,7 +32,8 @@ def hide
 
     cookies.encrypted[:accept_cookies] = {
       value: {state:, message: false}.to_json,
-      expires: 90.days.from_now
+      expires: 90.days.from_now,
+      httponly: true
     }
 
     redirect_to request.env["HTTP_REFERER"]
@@ -41,7 +44,8 @@ def update
 
     cookies.encrypted[:accept_cookies] = {
       value: {state: form.accept, message: true}.to_json,
-      expires: 90.days.from_now
+      expires: 90.days.from_now,
+      httponly: true
     }
 
     redirect_to cookies_path(current_journey_routing_name)