Thanks for the patch.

I did a smal modifycation that uses the rails configuration.

class CGI::Cookie
alias :original_initializer :initialize

def initialize(name = ”, *value)
http_only = Rails.configuration.action_controller[:session][:session_http_only].nil? ? true : Rails.configuration.action_controller[:session][:session_http_only]

if name.kind_of?(String)
original_initializer({‘name’ => name, ‘value’ => value, ‘http_only’ => http_only})
else
original_initializer(name.merge({‘http_only’ => http_only}))
end
end
end