Hi, Currently Catalyst::Plugin::Session::State::Cookie doesn't allow configuration of the HttpOnly flag, it looks trivial to add, so basically I'm wondering whether this idea has been discussed and discounted before and if there is any reason why I shouldn't just patch it? Cheers