diff -r 4352b7ccde04 -r 1245357b3b3e web/application.py
--- a/web/application.py	Fri Oct 17 18:16:58 2014 +0200
+++ b/web/application.py	Tue Jul 15 16:07:59 2014 +0200
@@ -224,7 +224,7 @@
         sessioncookie = self.session_cookie(req)
         secure = req.https and req.base_url().startswith('https://')
         req.set_cookie(sessioncookie, session.sessionid,
-                       maxage=None, secure=secure)
+                       maxage=None, secure=secure, httponly=True)
         if not session.anonymous_session:
             self.session_manager.postlogin(req, session)
         return session