from http://www.petefreitag.com/item/644.cfmWhen a cookie is HttpOnly the web browser should (see note about firefox implementation below) not allow client side scripts such as JavaScript to have access to the cookie. This can help mitigate the effects of cross site scripting (XSS) attacks.
It has PHP 5.2 support.