--- a/development.ini	Wed Nov 23 15:36:57 2011 +0200
+++ b/development.ini	Wed Nov 23 16:37:50 2011 +0200
@@ -142,6 +142,9 @@
 beaker.session.encrypt_key = g654dcno0-9873jhgfreyu
 beaker.session.validate_key = 9712sds2212c--zxc123
 beaker.session.timeout = 36000
+beaker.session.httponly = true
+# uncomment for https secure cookie
+beaker.session.secure = false
 
 ##auto save the session to not to use .save()
 beaker.session.auto = False

--- a/production.ini	Wed Nov 23 15:36:57 2011 +0200
+++ b/production.ini	Wed Nov 23 16:37:50 2011 +0200
@@ -142,6 +142,9 @@
 beaker.session.encrypt_key = g654dcno0-9873jhgfreyu
 beaker.session.validate_key = 9712sds2212c--zxc123
 beaker.session.timeout = 36000
+beaker.session.httponly = true
+# uncomment for https secure cookie
+beaker.session.secure = false
 
 ##auto save the session to not to use .save()
 beaker.session.auto = False
@@ -255,4 +258,4 @@
 [formatter_color_formatter_sql]
 class=rhodecode.lib.colored_formatter.ColorFormatterSql
 format= %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
-datefmt = %Y-%m-%d %H:%M:%S
\ No newline at end of file
+datefmt = %Y-%m-%d %H:%M:%S

--- a/rhodecode/config/deployment.ini_tmpl	Wed Nov 23 15:36:57 2011 +0200
+++ b/rhodecode/config/deployment.ini_tmpl	Wed Nov 23 16:37:50 2011 +0200
@@ -142,13 +142,17 @@
 beaker.session.encrypt_key = ${app_instance_secret}
 beaker.session.validate_key = ${app_instance_secret}
 beaker.session.timeout = 36000
+beaker.session.httponly = true
+# uncomment for https secure cookie
+beaker.session.secure = false
 
 ##auto save the session to not to use .save()
 beaker.session.auto = False
 
 ##true exire at browser close
 #beaker.session.cookie_expires = 3600
-    
+
+
 ################################################################################
 ## WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*  ##
 ## Debug mode will enable the interactive debugging tool, allowing ANYONE to  ##