From 74a7141a63d75e1948d46efb9adaaacb22019aa3 Mon Sep 17 00:00:00 2001
From: Max Goodman <max@reddit.com>
Date: Mon, 11 Feb 2013 17:25:43 -0800
Subject: [PATCH] Make the admin cookie HTTP only.

---
 r2/r2/controllers/reddit_base.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/r2/r2/controllers/reddit_base.py b/r2/r2/controllers/reddit_base.py
index 832cfe434..9bb7323b7 100644
--- a/r2/r2/controllers/reddit_base.py
+++ b/r2/r2/controllers/reddit_base.py
@@ -894,7 +894,8 @@ class RedditController(MinimalController):
     @staticmethod
     def enable_admin_mode(user, first_login=None):
         # no expiration time so the cookie dies with the browser session
-        c.cookies[g.admin_cookie] = Cookie(value=user.make_admin_cookie(first_login=first_login))
+        admin_cookie = user.make_admin_cookie(first_login=first_login)
+        c.cookies[g.admin_cookie] = Cookie(value=admin_cookie, httponly=True)
 
     @staticmethod
     def remember_otp(user):