On Jun 30, 2011 8:25 AM, "Chris Smith" <cdsmith@gmail.com> wrote:
> The kinds of cookies generated by clientsession are not really vulnerable to
> cookie-stealing attacks anywa due to the encryption that goes on [...]

On further thought, I'm wrong about this... but the conclusion is the same; those cookies definitely ought to be setting the http-only flag.