if HTTPOnly weren't working you should see "blah=protected" as well as "blah2=notprotected"