diff --git a/app.js b/app.js
index efffc5a..91da4b6 100644
--- a/app.js
+++ b/app.js
@@ -1,6 +1,9 @@
 'use strict';
 
 module.exports = function(app) {
+  if (!app.config.session.httpOnly) {
+    app.logger.warn('[egg-session]: please set `config.session.httpOnly` to true. It is very dangerous if session can read by client JavaScript.');
+  }
   app.config.coreMiddleware.push('session');
 
   // listen on session's events
diff --git a/test/app/middleware/session.test.js b/test/app/middleware/session.test.js
index 1ee8203..21a2c1a 100644
--- a/test/app/middleware/session.test.js
+++ b/test/app/middleware/session.test.js
@@ -55,6 +55,15 @@ describe('test/app/middlewares/session.test.js', () => {
     });
   });
 
+  describe('httpOnly', () => {
+    it('should warn when httponly false', function* () {
+      app = mm.app({ baseDir: 'httponly-false-session' });
+      yield app.ready();
+      app.expectLog('[egg-session]: please set `config.session.httpOnly` to true. It is very dangerous if session can read by client JavaScript.');
+      yield app.close();
+    });
+  });
+
   [
     'cookie-session',
     'memory-session',
diff --git a/test/fixtures/httponly-false-session/app/controller/home.js b/test/fixtures/httponly-false-session/app/controller/home.js
new file mode 100644
index 0000000..b122fac
--- /dev/null
+++ b/test/fixtures/httponly-false-session/app/controller/home.js
@@ -0,0 +1,25 @@
+'use strict';
+
+exports.get = function* (ctx) {
+  ctx.body = ctx.session;
+};
+
+exports.set = function* (ctx) {
+  ctx.session = ctx.query;
+  ctx.body = ctx.session;
+};
+
+exports.setKey = function* (ctx) {
+  ctx.session.key = ctx.query.key;
+  ctx.body = ctx.session;
+};
+
+exports.remove = function* (ctx) {
+  ctx.session = null;
+  ctx.body = ctx.session;
+};
+
+exports.maxAge = function* (ctx) {
+  ctx.session.maxAge = Number(this.query.maxAge);
+  ctx.body = ctx.session;
+};
diff --git a/test/fixtures/httponly-false-session/app/router.js b/test/fixtures/httponly-false-session/app/router.js
new file mode 100644
index 0000000..d5938ed
--- /dev/null
+++ b/test/fixtures/httponly-false-session/app/router.js
@@ -0,0 +1,9 @@
+'use strict';
+
+module.exports = function(app) {
+  app.get('/get', 'home.get');
+  app.get('/set', 'home.set');
+  app.get('/setKey', 'home.setKey');
+  app.get('/remove', 'home.remove');
+  app.get('/maxAge', 'home.maxAge');
+};
diff --git a/test/fixtures/httponly-false-session/config/config.default.js b/test/fixtures/httponly-false-session/config/config.default.js
new file mode 100644
index 0000000..d237c77
--- /dev/null
+++ b/test/fixtures/httponly-false-session/config/config.default.js
@@ -0,0 +1,6 @@
+'use strict';
+
+exports.keys = 'keys';
+exports.session = {
+  httpOnly: false,
+};
diff --git a/test/fixtures/httponly-false-session/package.json b/test/fixtures/httponly-false-session/package.json
new file mode 100644
index 0000000..9f1ec46
--- /dev/null
+++ b/test/fixtures/httponly-false-session/package.json
@@ -0,0 +1,3 @@
+{
+  "name": "httponly-false-session"
+}