Index: django/http/__init__.py
===================================================================
--- django/http/__init__.py	(revision 4325)
+++ django/http/__init__.py	(working copy)
@@ -196,9 +196,9 @@
                 return True
         return False
 
-    def set_cookie(self, key, value='', max_age=None, expires=None, path='/', domain=None, secure=None):
+    def set_cookie(self, key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=None):
         self.cookies[key] = value
-        for var in ('max_age', 'path', 'domain', 'secure', 'expires'):
+        for var in ('max_age', 'path', 'domain', 'secure', 'expires', 'httponly'):
             val = locals()[var]
             if val is not None:
                 self.cookies[key][var.replace('_', '-')] = val
Index: django/conf/global_settings.py
===================================================================
--- django/conf/global_settings.py	(revision 4325)
+++ django/conf/global_settings.py	(working copy)
@@ -257,6 +257,7 @@
 SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2 # Age of cookie, in seconds (default: 2 weeks).
 SESSION_COOKIE_DOMAIN = None              # A string like ".lawrence.com", or None for standard domain cookie.
 SESSION_COOKIE_SECURE = False             # Whether the session cookie should be secure (https:// only).
+SESSION_COOKIE_HTTPONLY = False           # Whether the session cookie should be httponly.
 SESSION_SAVE_EVERY_REQUEST = False        # Whether to save the session data on every request.
 SESSION_EXPIRE_AT_BROWSER_CLOSE = False   # Whether sessions expire when a user closes his browser.
 
Index: django/contrib/sessions/middleware.py
===================================================================
--- django/contrib/sessions/middleware.py	(revision 4325)
+++ django/contrib/sessions/middleware.py	(working copy)
@@ -89,5 +89,6 @@
                     datetime.datetime.now() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE))
                 response.set_cookie(settings.SESSION_COOKIE_NAME, session_key,
                     max_age=max_age, expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
-                    secure=settings.SESSION_COOKIE_SECURE or None)
+                    secure=settings.SESSION_COOKIE_SECURE or None,
+                    httponly=settings.SESSION_COOKIE_HTTPONLY or None)
         return response