Hello. Are there any plans to support the HttpOnly cookie flag in the session cookie (JSESSIONID) of JBoss? Tomcat is on route to support this security flag.

As a side note, the HttpOnly cookie flag blocks JavaScript from accessing cookie data. It is supported by IE6+ FireFox 2.0.0.5+ Opera 9.5+ and is still be developed on Safari. It's not a standard per-say but is very widely used in practice. The Java Server JSR is also considering this flag. The security benefits are very significant. There is never, ever a need to access the JSESSIONID cookie via JavaScript. But adding HttpOnly support to JBoss a large class of Cross Site Scripting and Session Hijacking attacked will be prevented.

Thank you!!