--- C:/Documents and Settings/Jim/workspace/tomcat-trunk/java/org/apache/tomcat/util/http/ServerCookie.java	(revision 642698)
+++ C:/Documents and Settings/Jim/workspace/tomcat-trunk/java/org/apache/tomcat/util/http/ServerCookie.java	(working copy)
@@ -52,6 +52,13 @@ 
     private int version = 0;
 
     /**
+     * Default to backwards compatible cookie behavior without HttpOnly
+     */
+     
+    public static final boolean HTTP_ONLY_SESSION_COOKIE =
+       Boolean.valueOf(System.getProperty("org.apache.catalina.HTTP_ONLY_SESSION_COOKIE", "false")).booleanValue(); 
+     
+    /**
      * If set to true, we parse cookies according to the servlet spec,
      */
     public static final boolean STRICT_SERVLET_COMPLIANCE =
@@ -247,7 +254,8 @@ 
                                           String domain,
                                           String comment,
                                           int maxAge,
-                                          boolean isSecure )
+                                          boolean isSecure,
+                                          boolean httpOnly)
     {
         StringBuffer buf = new StringBuffer();
         // Servlet implementation checks name
@@ -307,6 +315,11 @@ 
           buf.append ("; Secure");
         }
         
+        // HttpOnly
+        if (HTTP_ONLY_SESSION_COOKIE && httpOnly) {
+          buf.append ("; HttpOnly");
+        }
+        
         headerBuf.append(buf);
     }