We have set httpOnly for all cookies in our web.config and we have PersistStateInCookie set to true for our RadPanelBar however the cookie generated by the RadPanelBar does not seem to be httpOnly. We verified this using FireBug in the FireFox browser. Is this because the cookie has be accessed by javascript that Telerik is using?