From 3c355f19eb6efcc97be7dcaaba9f3f0358b64a1c Mon Sep 17 00:00:00 2001
From: Raphael Deem <raphael.deem@gmail.com>
Date: Wed, 25 Jan 2017 16:47:14 -0800
Subject: [PATCH] false cookie attributes should not be set

---
 sanic/cookies.py      |  3 ++-
 tests/test_cookies.py | 23 ++++++++++++++++++++++-
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/sanic/cookies.py b/sanic/cookies.py
index b7669e76..d54174f8 100644
--- a/sanic/cookies.py
+++ b/sanic/cookies.py
@@ -107,7 +107,8 @@ class Cookie(dict):
                     value.strftime("%a, %d-%b-%Y %T GMT")
                 ))
             elif key in self._flags:
-                output.append(self._keys[key])
+                if self[key]:
+                    output.append(self._keys[key])
             else:
                 output.append('%s=%s' % (self._keys[key], value))
 
diff --git a/tests/test_cookies.py b/tests/test_cookies.py
index cf6a4259..ac3f72d9 100644
--- a/tests/test_cookies.py
+++ b/tests/test_cookies.py
@@ -3,6 +3,7 @@ from http.cookies import SimpleCookie
 from sanic import Sanic
 from sanic.response import json, text
 from sanic.utils import sanic_endpoint_test
+import pytest
 
 
 # ------------------------------------------------------------ #
@@ -25,6 +26,26 @@ def test_cookies():
     assert response.text == 'Cookies are: working!'
     assert response_cookies['right_back'].value == 'at you'
 
+@pytest.mark.parametrize("httponly,expected", [
+        (False, False),
+        (True, True),
+])
+def test_false_cookies(httponly, expected):
+    app = Sanic('test_text')
+
+    @app.route('/')
+    def handler(request):
+        response = text('Cookies are: {}'.format(request.cookies['test']))
+        response.cookies['right_back'] = 'at you'
+        response.cookies['right_back']['httponly'] = httponly
+        return response
+
+    request, response = sanic_endpoint_test(app)
+    response_cookies = SimpleCookie()
+    response_cookies.load(response.headers.get('Set-Cookie', {}))
+
+    'HttpOnly' in response_cookies == expected
+
 def test_http2_cookies():
     app = Sanic('test_http2_cookies')
 
@@ -54,4 +75,4 @@ def test_cookie_options():
     response_cookies.load(response.headers.get('Set-Cookie', {}))
 
     assert response_cookies['test'].value == 'at you'
-    assert response_cookies['test']['httponly'] == True
\ No newline at end of file
+    assert response_cookies['test']['httponly'] == True