session cookie httponly false rails 3.1

Question

I'm trying to turn httponly off for use in phonegap. I'm useing rails 3.1 and devise, each of which have reported (but not documented) ways of doing this, none of which work:

# application.rb
config.session_options = { :httponly => false } # no effect
config.session = { :httponly => false } # undefined method `session='


# devise.rb
config.cookie_options = { :httponly => false } # also no effect

to test I restarted the server, deleted the existing cookie, and reloaded the page. 'Http' column was still checked in the chrome debugger.

help!

Answer 1

This little snippet seems to work :

Testapp::Application.config.session_store :cookie_store, key: '_testapp_session', :domain => :all, :httponly => false

Answer 2

As far as I can tell, this is a bug in rails. Perhaps the option got removed, but the documentation stayed. Any ideas on this would be welcome!

I spent several thorough hours with ActionPack, and couln't find any reference to such a configuration option-- but I still don't have the full picture as to how it works. Specifically, there's the cookiestore which holdes cookies and writes them to the header (and is passed :httponly => true), but I couldn't find how the session is using the store-- with vague things like the Rails SessionManage module being a proverbial ghost town.

I hacked up a middleware which does the job:

# application.rb:
    config.middleware.insert_before ActionDispatch::Cookies, "UnshieldCookie" # remove httponly. 

# unshielded_cookie.rb
class UnshieldCookie
  def initialize(app)
    @app = app
  end

  def call(env)
    status, headers, body = @app.call(env)

    headers['Set-Cookie'].gsub!('HttpOnly', '') if headers['Set-Cookie'].present?

    [status, headers, body]
  end
end