Index: request_response.txt
===================================================================
--- request_response.txt	(revision 4815)
+++ request_response.txt	(working copy)
@@ -364,9 +364,9 @@
     Returns ``True`` or ``False`` based on a case-insensitive check for a
     header with the given name.
 
-``set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None)``
+``set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=None)``
     Sets a cookie. The parameters are the same as in the `cookie Morsel`_
-    object in the Python standard library.
+    object in the Python standard library, aside from ``httponly``.
 
         * ``max_age`` should be a number of seconds, or ``None`` (default) if
           the cookie should last only as long as the client's browser session.
@@ -377,7 +377,11 @@
           the domains www.lawrence.com, blogs.lawrence.com and
           calendars.lawrence.com. Otherwise, a cookie will only be readable by
           the domain that set it.
+        * Use ``httponly`` set to ``True`` to set non-standard HttpOnly Cookie
+          flag to disallow access to this cookie via JavaScript. Not all browsers
+          honor this flag. See the `session docs`_.
 
+    .. _session docs: ../sessions/
     .. _`cookie Morsel`: http://www.python.org/doc/current/lib/morsel-objects.html
 
 ``delete_cookie(key, path='/', domain=None)``
Index: sessions.txt
===================================================================
--- sessions.txt	(revision 4815)
+++ sessions.txt	(working copy)
@@ -288,6 +288,16 @@
 (default), then the session data will only be saved if it has been modified --
 that is, if any of its dictionary values have been assigned or deleted.
 
+SESSION_HTTP_ONLY
+-----------------
+
+Default: ``False``
+
+Whether to use the non-standard HttpOnly Cookie flag. Some browsers, notably
+Internet Explorer and upcoming Firefox 3, allow cookies to be sent as HTTP-only.
+These cookies cannot be read using JavaScript, minimizing cross-site scripting
+attacks for user agents that support it.
+
 .. _Django settings: ../settings/
 
 Technical details
Index: settings.txt
===================================================================
--- settings.txt	(revision 4815)
+++ settings.txt	(working copy)
@@ -736,6 +736,13 @@
 
 Whether to save the session data on every request. See the `session docs`_.
 
+SESSION_HTTP_ONLY
+-----------------
+
+Default: ``False``
+
+Whether to use the non-standard HttOnly Cookie flag. See the `session docs`_.
+
 SITE_ID
 -------