How about simply adding an additional certificate - e.g. random string of specified length - held by your webapp in closure? And then configure your server to only respond to requests that have the "secure" httpOnly cookies and the certificate included using the POST method. The certificate was originally sent by the server using https protocol during document load, is stored in closure, and can be dynamically updated asynchronously over https connection.<p>This limits all requests to ajax requests since inclusion of this additional certificate is needed from javascript memory, but it does side-step the problem.<p>Ps: I know this is a dated article, I'm just curious what you guys think of this work-around. I think it's more secure and flexible than the work-arounds suggested in the article, since this does allow you to use the array notation.