What is a httpOnly cookie?
HTTP cookies can be created in a web browser either by the
> document.cookie "cookieconsent_status=dismiss; test_cookie=true"
The same cookie can be set using a HTTP response header:
Set-Cookie: cookieconsent_status=dismiss; test_cookie=true
This gives application developers great flexibility in customizing the application behavior to match user preferences — for example, if an user indicated a preference to see the website in Russian language, the application can set a cookie
language=russian which the browser will send in all subsequent requests. Upon receiving the cookie, the application will then display content in appropriate language, always returning what the user has chosen to see. The cookie can be read from either the HTTP session (
Set-Cookie: session_cookie=secret_value; httpOnly
Such cookie will be still sent in the
Most web application security scanners will check if session cookies are set with the
httpOnly flag and will raise an alert if it's not. Some broken security scanners will raise this alert for any cookies set by the website which is definitely an overkill and a false positive.