Doesn't make sense because Squirrelmail is also written in PHP and it's pretty solid. The next version will use HTTP-only cookies to further harden against attacks.
do you know of any particular reason that wasn't put in to place years ago? concern for legacy browsers at all costs? it sounds snarky, but it's a genuine question - I think I've set my apps to be http-only cookies for a while now, and am wondering why someone would only get around to it in 2014.