HttpOnly is a flag added to cookies that tell the browser not to display the cookie through client-side scripts (document.cookie and others). The agenda behind HttpOnly is not to spill out cookies when an XSS flaw exists, as a hacker might be able to run their script but the fundamental benefit of having an XSS vulnerability (the ability steal cookies and hijack a currently established session) is lost.
When you set a cookie with the HttpOnly flag, it informs the browser that this special cookie should only be accessed by the server. Any try to access the cookie from client side script is strictly forbidden. Of course, this presumes you have: A modern web browser.
HttpOnly cookies were first presented in Microsoft’s Internet Explorer 6 SP1, and as of now, this has become a popular practice while setting session cookies.
The syntax of this is as follows:
Set-Cookie: Name=Value; expires=Wednesday, 01-May-2014 12:45:10 GMT; HttpOnly
In this HTTP header ; HttpOnly tells the browser to save the cookie without displaying it to client-side scripts. A secure flag, on the other hand, forces the browser to send cookies through an encrypted channel such as HTTPS, which stops eavesdropping, especially when an HTTPS connection is downgraded to HTTP through tools such as SSLStrip and
The syntax for this is as follows:
Set-Cookie: Name=Value; expires=Wednesday, 01-May-2014 12:45:10 GMT; Secure
In this HTTP header ; Secure tells the browser to send a cookie through a secure encrypted channel.