Hello. Are there any plans to support the HttpOnly cookie flag in the session cookie (JSESSIONID) of JBoss? Tomcat is on route to support this security flag. As a side note, the HttpOnly cookie flag blocks JavaScript from accessing cookie data. It is supported by IE6+ FireFox 2.0.0.5+ Opera 9.5+ and is still be developed on Safari. It's not a standard per-say but is very widely used in practice. The Java Server JSR is also considering this flag. The security benefits are very significant. There is never, ever a need to access the JSESSIONID cookie via JavaScript. But adding HttpOnly support to JBoss a large class of Cross Site Scripting and Session Hijacking attacked will be prevented. Thank you!! View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4138439#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...