diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb
index e061c4d4a1fec..6ad6369950dd4 100644
--- a/actionpack/lib/action_controller/session/cookie_store.rb
+++ b/actionpack/lib/action_controller/session/cookie_store.rb
@@ -45,7 +45,7 @@ class CookieStore
         :domain       => nil,
         :path         => "/",
         :expire_after => nil,
-        :httponly     => false
+        :httponly     => true
       }.freeze
 
       ENV_SESSION_KEY = "rack.session".freeze
@@ -56,8 +56,6 @@ class CookieStore
       class CookieOverflow < StandardError; end
 
       def initialize(app, options = {})
-        options = options.dup
-
         # Process legacy CGI options
         options = options.symbolize_keys
         if options.has_key?(:session_path)
diff --git a/actionpack/test/controller/session/cookie_store_test.rb b/actionpack/test/controller/session/cookie_store_test.rb
index d349c18d1df11..b6a38f47aaae4 100644
--- a/actionpack/test/controller/session/cookie_store_test.rb
+++ b/actionpack/test/controller/session/cookie_store_test.rb
@@ -94,7 +94,7 @@ def test_setting_session_value
     with_test_route_set do
       get '/set_session_value'
       assert_response :success
-      assert_equal ["_myapp_session=#{response.body}; path=/"],
+      assert_equal ["_myapp_session=#{response.body}; path=/; httponly"],
         headers['Set-Cookie']
    end
   end
@@ -148,7 +148,7 @@ def test_setting_session_value_after_session_reset
       get '/set_session_value'
       assert_response :success
       session_payload = response.body
-      assert_equal ["_myapp_session=#{response.body}; path=/"],
+      assert_equal ["_myapp_session=#{response.body}; path=/; httponly"],
         headers['Set-Cookie']
 
       get '/call_reset_session'