HTTP hanya cookie
- If the HttpOnly flag (optional) is included in the HTTP response header,
the cookie cannot be accessed through client side script (again if the
browser supports this flag).
- As a result, even if a cross-site scripting (XSS) flaw exists, and a user
accidentally accesses a link that exploits this flaw, the browser (primarily
Internet Explorer) will not reveal the cookie to a third party.
- If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie,
the HttpOnly flag will be ignored by the browser, thus creating a traditional,
script accessible cookie.
- As a result, the cookie (typically your session cookie)
becomes vulnerable to theft of modification by malicious script. "Mitigating".
Annoyed Antelope