Rails 2.2.3 secure/http_only session cookie

I’m way behind the times.

I’ve finally got the go ahead from corporate to start an upgrade of
our ROR application from 1.2.6.

I’m first upgrading to Rails 2.2.3 which has not been too bad but I
have a question around http_only and secure session cookie using
:active_record_store.

I understand that :session_http_only by default is set to TRUE but it
appears to be ignored while :session_secure is FALSE.

I’m using this at the bottom of environment.rb to turn on the secure
flag.
ActionController::Base.session_options[:session_secure] = true

When secure is turned off (FALSE) I CAN access the session cookie via
javascript in the browser.
When secure is turned on (TRUE) I CANNOT access the session cookie via
javascript.

This does not apply to other cookies - just the session cookie.

Was this a known issue?