Hello - are there any development plans to add the HttpOnly cookie flag to the JBoss session handing cookie? When the HttpOnly flag is added to the session cookie, it prevents JavaScript from reading cookie data. This protects the session cookie from Cross Site Scripting Session Hijack attacks. The HttpOnly cookie flag, while not a standard, is a widely used practice and is supported in IE 6+, FF 2.0.0.5+, Opera 9.01+, Konqueror, and is under development at Safari/Webkit. I've tried to get the cookie1 standard amended, but the best most teams come up with is the old netscape docs on cookie1 - cookie2 never took off. Any help adding this easy but rather significant fix to JBoss would be greatly appreciated. I am also leading the charge getting HttpOnly added to Tomcat http://manicode.blogspot.com/2008/03/httponly-support-for-apache-tomcat.html View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4138440#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...