<p>On Jun 30, 2011 8:25 AM, "Chris Smith" <<a href="mailto:cdsmith@gmail.com">cdsmith@gmail.com</a>> wrote:<br>
> The kinds of cookies generated by clientsession are not really vulnerable to<br>
> cookie-stealing attacks anywa due to the encryption that goes on [...]</p>
<p>On further thought, I'm wrong about this... but the conclusion is the same; those cookies definitely ought to be setting the http-only flag.</p>