Sign the auth token cookie and make it httpOnly

app/controllers/application_controller.rb

@@ -117,7 +117,7 @@ class ApplicationController < ActionController::Base
       user.auth_token = SecureRandom.hex(16)
       user.save!
     end
-    cookies.permanent[:_t] = user.auth_token
+    cookies.permanent.signed[:_t] = { :value => user.auth_token, :httponly => true }
   end
 
   # This is odd, but it seems that in Rails `render json: obj` is about