HttpOnly Session Cookie describes an attack that takes advantage of those situations where the HttpOnly flag has not been turned on. The HttpOnly flag is an additional flag included in a Set-Cookie HTTP response header. It is used to prevent a Cross-Site Scripting exploit from gaining access to the session cookie and hijacking the victim’s session. The HttpOnly flag is a useful prevention mechanism, as it instructs the user-agent to restrict access to the cookie only for use with HTTP messages.
Using the HttpOnly flag when generating a cookie helps mitigate the risk of a client-side script accessing the protected cookie (if the browser supports it). If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through a client-side script (again if the browser supports this flag). As a result, even if an XSS flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party.