diff --git a/includes/session.inc b/includes/session.inc
index 9f671b3..8ea5659 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -135,6 +135,13 @@ function sess_regenerate() {
     setcookie(session_name(), '', time() - 42000, '/');
   }
 
+  if (version_compare(PHP_VERSION, '5.2.0') >= 0) {
+    extract(session_get_cookie_params());
+    // Set "httponly" to TRUE to reduce the risk of session stealing via XSS.
+    // This has no effect for PHP < 5.2.0.
+    session_set_cookie_params($lifetime, $path, $domain, $secure, TRUE);
+  }
+
   session_regenerate_id();
 
   db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index 70c6480..dcffd0d 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -165,6 +165,7 @@ ini_set('session.use_cookies',      1);
 ini_set('session.use_only_cookies', 1);
 ini_set('session.use_trans_sid',    0);
 ini_set('url_rewriter.tags',        '');
+ini_set('session.cookie_httponly', '1');
 
 /**
  * If you encounter a situation where users post a large amount of text, and