add HTTPOnly bool to CookieSessionProvider (#248)

Author: danielhochman

samlsp/new.go

@@ -81,11 +81,12 @@ func DefaultSessionProvider(opts Options) CookieSessionProvider {
 	}
 
 	return CookieSessionProvider{
-		Name:   cookieName,
-		Domain: cookieDomain,
-		MaxAge: maxAge,
-		Secure: cookieSecure,
-		Codec:  DefaultSessionCodec(opts),
+		Name:     cookieName,
+		Domain:   cookieDomain,
+		MaxAge:   maxAge,
+		HTTPOnly: true,
+		Secure:   cookieSecure,
+		Codec:    DefaultSessionCodec(opts),
 	}
 }
 

samlsp/session_cookie.go

@@ -15,11 +15,12 @@ var _ SessionProvider = CookieSessionProvider{}
 // CookieSessionProvider is an implementation of SessionProvider that stores
 // session tokens in an HTTP cookie.
 type CookieSessionProvider struct {
-	Name   string
-	Domain string
-	Secure bool
-	MaxAge time.Duration
-	Codec  SessionCodec
+	Name     string
+	Domain   string
+	HTTPOnly bool
+	Secure   bool
+	MaxAge   time.Duration
+	Codec    SessionCodec
 }
 
 // CreateSession is called when we have received a valid SAML assertion and
@@ -46,7 +47,7 @@ func (c CookieSessionProvider) CreateSession(w http.ResponseWriter, r *http.Requ
 		Domain:   c.Domain,
 		Value:    value,
 		MaxAge:   int(c.MaxAge.Seconds()),
-		HttpOnly: true,
+		HttpOnly: c.HTTPOnly,
 		Secure:   c.Secure || r.URL.Scheme == "https",
 		Path:     "/",
 	})