Merge branch 'sh-set-httponly-experimentation-subject-id' into 'master'

Enable the HttpOnly flag for experimentation_subject_id cookie Closes #34851 See merge request gitlab-org/gitlab!19189

Merge branch 'sh-set-httponly-experimentation-subject-id' into 'master'
Enable the HttpOnly flag for experimentation_subject_id cookie Closes #34851 See merge request gitlab-org/gitlab!19189
92490c32 · Sean McGivern · 87332f2d · b61cc5dd · 92490c32 · 92490c32
Commit 92490c32 authored Oct 28, 2019 by Sean McGivern
Showing with 7 additions and 1 deletion

changelogs/unreleased/sh-set-httponly-experimentation-subject-id.yml ...unreleased/sh-set-httponly-experimentation-subject-id.yml +5 -0

lib/gitlab/experimentation.rb lib/gitlab/experimentation.rb +2 -1

No files found.
--- a/changelogs/unreleased/sh-set-httponly-experimentation-subject-id.yml
+++ b/changelogs/unreleased/sh-set-httponly-experimentation-subject-id.yml
+---
+title: Enable the HttpOnly flag for experimentation_subject_id cookie
+merge_request: 19189
+author:
+type: security
--- a/lib/gitlab/experimentation.rb
+++ b/lib/gitlab/experimentation.rb
@@ -38,7 +38,8 @@ module Gitlab
        cookies.permanent.signed[:experimentation_subject_id] = {
          value: SecureRandom.uuid,
          domain: :all,
-          secure: ::Gitlab.config.gitlab.https
+          secure: ::Gitlab.config.gitlab.https,
+          httponly: true
        }
      end