HttpOnly and secure cookie flags
HttpOnly is a flag attached to cookies that instruct the browser not to expose the cookie through client-side scripts (document.cookie and others). The agenda behind HttpOnly is not to spill out cookies when an XSS vulnerability exists, as an attacker might be able to run their script but the fundamental benefit of having an XSS vulnerability (the ability steal cookies and hijack a currently established session) is lost.
HttpOnly cookies were first introduced in Microsoft's Internet Explorer 6 SP1, and as of now, this has become a common practice while setting session cookies. The syntax of this is as follows:
Set-Cookie: Name=Value; expires=Wednesday, 01-May-2014 12:45:10 GMT; HttpOnlyIn this HTTP header ; HttpOnly instructs the browser to save the cookie without exposing it to client-side scripts.
A secure flag, on the other hand, forces the browser to transmit cookies through an encrypted channel such as HTTPS, which prevents eavesdropping, especially...
