RT @jeremiahg: "5 Reasons HTTPOnly won't save you" - yes, that includes that Apache.org XSS incident. - http://bit.ly/d34f1N