Merge branch 'hotfix/httponly' into 'gray'

Hotfix/httponly



See merge request !1304

@@ -146,7 +146,8 @@ class AuthModel extends global.yoho.BaseModel {
             req.session.SESSION_KEY = sessionKey;
             res.cookie('_SESSION_KEY', authcode(sessionKey, '_SESSION_KEY', 2592000000, 'encode'), {
                 domain: 'yohobuy.com',
-                expires: new Date(Date.now() + 2592000000) // 有效期一年
+                expires: new Date(Date.now() + 2592000000), // 有效期一年
+                httpOnly: true
             });
             userId.sessionKey = sessionKey;
         }

@@ -29,7 +29,7 @@ function yohoSession(opts) {
             req.session = new memcachedSession.Session(req, req[opts.backSession].sessionBack);
             req.session.cookie = new memcachedSession.Cookie({
                 domain: 'yohobuy.com',
-                httpOnly: false
+                httpOnly: true
             });
         }
 
@@ -63,7 +63,7 @@ module.exports = (app) => {
         },
         cookie: {
             domain: 'yohobuy.com',
-            httpOnly: false
+            httpOnly: true
         },
         store: new MemcachedStore({
             hosts: config.memcache.session,
@@ -80,7 +80,8 @@ module.exports = (app) => {
         secret: '82dd7e724f2c6870472c89dfa43cf48d',
         cookie: {
             domain: 'yohobuy.com',
-            ephemeral: true
+            ephemeral: true,
+            httpOnly: true
         }
     }));