Is there any plans to support the HttpOnly cookie flag in the core session handling (JSESSIONID) cookie of JBoss? As another question, is JBOSS a fork of Tomcat, or does it still use regular Tomcat builds within the project? Also, is there a better place to post this?