In php, I return cookie headers over https, but some cookies are NOT marked httpOnly. Yet, document.cookie contains an empty string in the browser when run over https (
