Rails 2.2.3 secure/http_only session cookie

I'm way behind the times.

I've finally got the go ahead from corporate to start an upgrade of our ROR application from 1.2.6.

I'm first upgrading to Rails 2.2.3 which has not been too bad but I have a question around http_only and secure session cookie using :active_record_store.

I understand that :session_http_only by default is set to TRUE but it appears to be ignored while :session_secure is FALSE.

I'm using this at the bottom of environment.rb to turn on the secure flag. ActionController::Base.session_options[:session_secure] = true

When secure is turned off (FALSE) I CAN access the session cookie via javascript in the browser. When secure is turned on (TRUE) I CANNOT access the session cookie via javascript.

This does not apply to other cookies - just the session cookie.

<P>Was this a known issue?