working on the httponly tutorial

app/models/user.rb

@@ -62,7 +62,7 @@ class User < ActiveRecord::Base
     return auth
   end
 
-=begin
+#=begin
   # More secure version, still lacking a decent hashing routine, this is for timing attack prevention
   def self.authenticate(email, password)
        user = find_by_email(email) || User.new(:password => "")
@@ -72,7 +72,7 @@ class User < ActiveRecord::Base
           raise "Incorrect username or password"
         end
    end
-=end
+#=end
 
   def assign_user_id
     unless @skip_user_id_assign.present? || self.user_id.present?

app/views/layouts/shared/_header.html.erb

@@ -26,7 +26,7 @@
     going on with funny chars and jquery, plus it says safe so I'm guessing
     nothing bad will happen
     -->
-    Welcome, <%= current_user.first_name.html_safe %>
+    Welcome, <%= current_user.first_name %>
      </li>
      <li>
     <%= button_to "RailsGoat Tutorials", tutorials_path, {:class => "btn btn-primary", :method => "get"}%>

app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb

@@ -0,0 +1,75 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A2 - Broken Authentication and Session Management - Lack of HttpOnly Flag
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseHttpOnlyOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapseHttpOnlyOne" style="height: auto;">
+            <div class="accordion-inner">
+        		INSERT DESC
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseHttpOnlyTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseHttpOnlyTwo" style="height: 0px;">
+            <div class="accordion-inner">
+				<p class="desc">
+					By default, Ruby on Rails protects it's cookies with the HttpOnly flag. However, it is possible to disable this security protection and is not recommended. You can disable this protection using the flag highlighted below. This is an insecure and unnecessary change.
+				</p>	
+       			<pre class="ruby">
+Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', <span style="background:yellow">httponly: false</span>
+				</pre>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseHttpOnlyThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseHttpOnlyThree" style="height: 0px;">
+            <div class="accordion-inner">
+              <p><b>Lack of Password Complexity - SOLUTION</b></p>
+        	  	INSERT SOLUTION
+            </div>
+          </div>
+        </div>
+    <div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseHttpOnlyFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseHttpOnlyFour" style="height: 0px;">
+            <div class="accordion-inner">
+        <p class="desc">
+         INSERT DESC
+        </p>
+             </div>
+          </div>
+        </div>
+      </div>
+    </div>
+</div>

app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb

@@ -67,7 +67,7 @@
           </div>
           <div class="accordion-body collapse" id="collapseCompThree" style="height: 0px;">
             <div class="accordion-inner">
-              <p><b>Lack of Password Complexity - SOLUTION</b></p>
+              <p><b>Insecure Timing Attacks - SOLUTION</b></p>
         <p>
         Within app/models/user.rb:
         </p>

app/views/tutorials/broken_auth.html.erb

@@ -15,6 +15,11 @@
           <%= render :partial => ("layouts/tutorial/broken_auth_sess/insecure_compare")%>
         </div> <!-- End Span12-->
     </div>
+    <div class="row-fluid">
+        <div class="span12">
+          <%= render :partial => ("layouts/tutorial/broken_auth_sess/httponly_flag")%>
+        </div> <!-- End Span12-->
+    </div>
   </div>
 </div>