Zend Framework, Sessions, and HttpOnly
Try at bootstrap to do Zend_Session::setOptions(array('cookie_httponly' => true));
( somewhere before the session is first initialized ) tough it should work with the app.ini file too .
Add this to your application.ini file.
phpSettings.session.cookie_httponly = true
For this to be 100% safe.
The server should not allow the option http trace.The http option trace reports the session id.If a attacker can inject a java applet, flash or javascript with ajax the attacker can also steal cookies even with the httponly flag set...