The following note was sent to the Apache Tomcat DEV community on 2/13/2009 by Mark Thomas, the Tomcat lead. This has been quite an ordeal - it's been over a year and still we are debating the HTTPOnly patch in Tomcat! *sigh*
The implementation of httpOnly support in Tomcat 7 fits well with the previous
httpOnly patch  that is currently the proposed backport for 6.0.x
When originally proposed there was some concern that the v3 servlet spec may
require some changes. This hasn't been the case. With that in mind could folks
please review their comments and votes for this patch. I'd like to get it into
6.0.19 if posible.
If you still think there is room for improvement, I'm happy to take another look
at this. Some pointers as to how you think things could/should be improved would
If you do vote for this patch, please remember to indicate your preference for
using or not using httpOnly for session cookies by default.