diff --git a/config-templates/config.php b/config-templates/config.php
index 3104e467218cdc73f16e5370a93d4d47867a504e..b45616bad8b529921e46c7b2967d2e21dd3a46d8 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -310,7 +310,7 @@ $config = array(
      */
     'session.phpsession.cookiename' => null,
     'session.phpsession.savepath' => null,
-    'session.phpsession.httponly' => false,
+    'session.phpsession.httponly' => true,
 
     /*
      * Option to override the default settings for the auth token cookie
diff --git a/lib/SimpleSAML/SessionHandlerPHP.php b/lib/SimpleSAML/SessionHandlerPHP.php
index 9857d843056b08fdf47b51949534406e83d85efb..04988b8c3ac3d67432b8166ce08124a2571d836c 100644
--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -211,7 +211,7 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler {
 			$ret['path'] = $config->getBoolean('session.phpsession.limitedpath', FALSE) ? '/' . $config->getBaseURL() : '/';
 		}
 
-		$ret['httponly'] = $config->getBoolean('session.phpsession.httponly', FALSE);
+		$ret['httponly'] = $config->getBoolean('session.phpsession.httponly', TRUE);
 
 		return $ret;
 	}