diff --git a/airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java b/airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java
index 53c26880..395fadbc 100644
--- a/airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java
@@ -151,6 +151,7 @@ public class PlayerService {
             String cookieName = COOKIE_NAME + "-" + StringUtil.utf8HexEncode(username);
             Cookie cookie = new Cookie(cookieName, String.valueOf(player.getId()));
             cookie.setMaxAge(COOKIE_EXPIRY);
+            cookie.setHttpOnly(true);
             String path = request.getContextPath();
             if (StringUtils.isEmpty(path)) {
                 path = "/";