Odd.  Am I the only one who  wants to use HttpOnly cookies from servlets?  Looks like Jetty and Resin are adding HttpOnly support but what about others like Tomcat and WebSphere?  And why isn't Sun adding it to the Servlet API or at least open it up to allow custom cookie extensions?