diff --git a/ webgoat/main/HOW TO create the WebGoat workspace.txt b/ webgoat/main/HOW TO create the WebGoat workspace.txt
index 287f03c67..db83867f3 100644
--- a/ webgoat/main/HOW TO create the WebGoat workspace.txt	
+++ b/ webgoat/main/HOW TO create the WebGoat workspace.txt	
@@ -125,24 +125,6 @@ in "Server Overview" window
     NOTE: In developer mode you may want to leave this checked
 
 
-Rename the web.xml file:
-
-    a. Delete the web.xml file located at
-       <webgoat-root>/project/WebContent/WEB-INF/web.xml
-
-    b. Copy the appropriate web-*.xml as the new web.xml
-
-	Windows:
-	
-	copy <webgoat-root>/project/WebContent/WEB-INF/web-windows.xml to
-	     <webgoat-root>/project/WebContent/WEB-INF/web.xml
-
-
-	Unix:
-
-	copy <webgoat-root>/project/WebContent/WEB-INF/web-unix.xml to
-	     <webgoat-root>/project/WebContent/WEB-INF/web.xml
-
 
 Right click on Tomcat v5.5 Sever@localhost ->Start
 
diff --git a/ webgoat/main/build.xml b/ webgoat/main/build.xml
index cc7cfe41e..4f6295c2d 100644
--- a/ webgoat/main/build.xml	
+++ b/ webgoat/main/build.xml	
@@ -293,7 +293,9 @@
 		<!-- Build the CD image -->
 		<zip destfile="${dist.home}/${ant.project.name}.zip">
 			<zipfileset dir="." prefix="${install.home}"
-				includes="eclipse/, java/, project/, paros/, tomcat/, webscarab/, eclipse.bat, webgoat.bat, webgoat_8080.bat, webscarab.bat"
+				includes="eclipse/, java/, project/, FirefoxPortable/, Paros/, tomcat/, webscarab/, 
+				          eclipse.bat, webgoat.bat, webgoat_8080.bat, webscarab.bat,
+						  *.txt, Eclipse-Workspace.zip"
 				excludes="project/.*, project/.settings/**, project/dist/**, project/owasp_distributions/**, project/bin/**, project/build/**"/>
 		</zip>
 	</target> 	
@@ -312,7 +314,7 @@
 		<!-- Build the CD image -->
 		<zip destfile="${dist.home}/${ant.project.name}.zip">
 			<zipfileset dir="." prefix="${install.home}"
-				includes="java/, tomcat/, paros/, webscarab/, webgoat.bat, webgoat_8080.bat, webscarab.bat"
+				includes="java/, tomcat/, FirefoxPortable/, Paros/, webscarab/, webgoat.bat, webgoat_8080.bat, webscarab.bat"
 				excludes="project/.*, project/.settings/**, project/dist/**, project/owasp_distributions/**, project/bin/**, project/build/**"/>
 		</zip>
 	</target> 	
diff --git a/ webgoat/main/eclipse.bat b/ webgoat/main/eclipse.bat
index 9b88a5313..05c59d7d0 100644
--- a/ webgoat/main/eclipse.bat	
+++ b/ webgoat/main/eclipse.bat	
@@ -1,7 +1,28 @@
-set JAVAHOME= C:\Program Files\Java\jdk1.5.0_08
+ECHO OFF
+IF NOT EXIST workspace GOTO UNPACK
+set JAVAHOME= java
 set PATH=%JAVAHOME%\bin;%PATH%
-set ECLIPSE_HOME= C:\webgoat\tools\eclipse
+set ECLIPSE_HOME= eclipse
 SET JAVA_OPTS=%JAVA_OPTS% -Xms128m -Xmx768m
 
 %ECLIPSE_HOME%\eclipse.exe -data .\workspace
+GOTO END
+
+:UNPACK
+ECHO *
+ECHO *
+ECHO *
+ECHO *
+ECHO *   ERROR -- eclipse workspace is missing
+ECHO *
+ECHO *
+ECHO *
+ECHO *
+ECHO *   Use winzip to unzip Eclipse-Workspace.zip
+ECHO *
+ECHO *
+ECHO *
+PAUSE
+
+:END
 
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java
index a4d1e366d..c13cbcc4a 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java	
@@ -7,7 +7,9 @@ import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;
 import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.P;
+import org.apache.ecs.html.TD;
+import org.apache.ecs.html.TR;
+import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
@@ -77,20 +79,38 @@ public class AccessControlMatrix extends LessonAdapter
 		    String user = s.getParser().getRawParameter(USER, users[0]);
 		    String resource = s.getParser().getRawParameter(RESOURCE, resources[0]);
 		    String credentials = getRoles(user).toString();
-		    ec.addElement(new P().addElement("Change user:"));
-		    ec.addElement(ECSFactory.makePulldown(USER, users, user, 1));
-		    ec.addElement(new P());
+			
+		    Table t = new Table().setCellSpacing(0).setCellPadding(2)
+			.setBorder(0).setWidth("90%").setAlign("center");
+
+    		if (s.isColor())
+    		{
+    		    t.setBorder(1);
+    		}
+
+    		TR tr = new TR();
+		    tr.addElement(new TD().addElement("Change user:"));
+		    tr.addElement(new TD().addElement(ECSFactory.makePulldown(USER, users, user, 1)));
+		    t.addElement(tr);
 	
 		    // These two lines would allow the user to select the resource from a  list
 		    // Didn't seem right to me so I made them type it in.
 		    //	ec.addElement( new P().addElement( "Choose a resource:" ) );
 		    //	ec.addElement( ECSFactory.makePulldown( RESOURCE, resources, resource, 1 ) );
-		    ec.addElement(new P().addElement("Select resource: "));
-		    ec.addElement(ECSFactory.makePulldown(RESOURCE, resources, resource, 1));
-	
-		    ec.addElement(new P());
-		    ec.addElement(ECSFactory.makeButton("Check Access"));
+    		tr = new TR();
+		    tr.addElement(new TD().addElement("Select resource: "));
+		    tr.addElement(new TD().addElement(ECSFactory.makePulldown(RESOURCE, resources, resource, 1)));
+		    t.addElement(tr);
 	
+    		tr = new TR();
+		    tr.addElement(new TD("&nbsp;").setColSpan(2).setAlign("center"));
+		    t.addElement(tr);
+		    
+    		tr = new TR();
+		    tr.addElement(new TD(ECSFactory.makeButton("Check Access")).setColSpan(2).setAlign("center"));
+		    t.addElement(tr);
+		    ec.addElement(t);
+		    
 		    if (isAllowed(user, resource))
 		    {
 			if (!getRoles(user).contains("Admin")
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
index a05ff72bd..693dade51 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java	
@@ -278,7 +278,7 @@ public class CSRF extends LessonAdapter {
 
 	@Override	
 	protected Category getDefaultCategory() {
-		return Category.ACCESS_CONTROL;
+		return Category.XSS;
 	}
 
 	private final static Integer DEFAULT_RANKING = new Integer(120);
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
index dae791243..6a8e10f58 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java	
@@ -288,7 +288,7 @@ public class CrossSiteScripting extends GoatHillsFinancial
      */
     public String getTitle()
     {
-	return "LAB: Cross Site Scripting (XSS)";
+	return "LAB: Cross Site Scripting";
     }
 
 	public String htmlEncode(WebSession s, String text)
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java
index 02c673db6..8ca10731a 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java	
@@ -228,7 +228,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
 	 */
 	protected Category getDefaultCategory()
 	{
-		return Category.AUTHENTICATION;
+		return Category.SESSION_MANAGEMENT;
 	}
 
 	/**
diff --git a/ webgoat/main/project/WebContent/lesson_plans/HttpOnly.html b/ webgoat/main/project/WebContent/lesson_plans/HttpOnly.html
index 7de425f79..535439d3c 100644
--- a/ webgoat/main/project/WebContent/lesson_plans/HttpOnly.html	
+++ b/ webgoat/main/project/WebContent/lesson_plans/HttpOnly.html	
@@ -1,9 +1,25 @@
 <div align="Center">
 <p><b>Lesson Plan Title:</b> HttpOnly Test</p>
 </div>
-<p><b>Concept / Topic To Teach:</b> </p>
+<p><b>Concept / Topic To Teach:</b></p>
 <!-- Start Instructions -->
-To help mitigate the cross site scripting threat, Microsoft has introduced a new cookie attribute entitled 'HttpOnly.' If this flag is set, then the browser should not allow client-side script to access the cookie. Since the attribute is relatively new, several browsers neglect to handle the new attribute properly.
-<p><b>General Goal(s):</b> </p>
-The purpose of this lesson is to test whether your browser supports the HTTPOnly cookie flag. Note the value of the unique2u cookie. If your browser supports HTTPOnly, and you enable it for a cookie, client side code should NOT be able to read OR write to that cookie, but the browser can still send its value to the server. Some browsers only prevent client side read access, but don't prevent write access.
+To help mitigate the cross site scripting threat, Microsoft has
+introduced a new cookie attribute entitled 'HttpOnly.' If this flag is
+set, then the browser should not allow client-side script to access the
+cookie. Since the attribute is relatively new, several browsers neglect
+to handle the new attribute properly.
+<p><b>General Goal(s):</b></p>
+The purpose of this lesson is to test whether your browser supports the
+HTTPOnly cookie flag. Note the value of the
+<strong>unique2u</strong>
+cookie. If your browser supports HTTPOnly, and you enable it for a
+cookie, client side code should NOT be able to read OR write to that
+cookie, but the browser can still send its value to the server. Some
+browsers only prevent client side read access, but don't prevent write
+access.
+<br />
+<br />
+With the HTTPOnly attribute turned on, type
+"javascript:alert(document.cookie)" in the browser address bar. Notice
+all cookies are displayed except the unique2u cookie.
 <!-- Stop Instructions -->
\ No newline at end of file
diff --git a/ webgoat/main/project/build.xml b/ webgoat/main/project/build.xml
index 91914e029..ab3efa453 100644
--- a/ webgoat/main/project/build.xml	
+++ b/ webgoat/main/project/build.xml	
@@ -224,15 +224,19 @@
 <!-- =================== Internal Tasks to prepare war file  ============ -->
 
 	<!-- Copying the Java source code into the build directory -->
-	<!-- We must also copy the source into WebContent, since WTP will overwrite the 
-		app as it was deployed from the WAR. -->
+	<!-- We must also copy the source into WebContent, since WTP will overwrite the 
+		app as it was deployed from the WAR. -->
+	<!-- We must also copy the doc dir into WebContent, for the "how to create a new lesson" lesson -->
 	<target name="-CopySourceToBuild" depends="prepare" >
 		<copy todir="${build.home}/JavaSource">
 			<fileset dir="${basedir}/JavaSource"/>
 		</copy>
-		<copy todir="${web.home}/JavaSource">
-			<fileset dir="${basedir}/JavaSource"/>
-		</copy>
+		<copy todir="${web.home}/JavaSource">
+			<fileset dir="${basedir}/JavaSource"/>
+		</copy>
+		<copy todir="${web.home}/doc">
+			<fileset dir="${basedir}/doc"/>
+		</copy>
 	</target>
 
 	<!-- Copying web-unix.xml to web.xml -->