I would like to use the API with javascript on a subdomain that is different from the Rock subdomain, but is the same domain.  For example, the .ROCK cookie that is set on rock.church.com is readable by the server in the request header on www.church.com, but is not entered into the DOM to be readable by Javascript in the browser.    Is there an attribute/flag somewhere to turn off the httponly of the ID cookies or where is that cookie set so I could turn it off in the code.