HTTPONLY cookies

McAfee Secure just reported to me that I should be using the httponly flag on my cs-cart cookies.Does anyone have any info on this?

Here’s what they have in their alert:

The application does not utilize HTTP-only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the “HttpOnly” flag to be accessed via client-side scripts.

An attacker can easily steal a user’s session if the attacker is able to manipulate the JavaScript. This vulnerability has a very high security impact if the site is also vulnerable to Cross Site Scripting (XSS).

Did you ever get this fixed? My security scan from Cenzic found the same thing.