- To prevent the client script from accessing the session cookie, set the httpOnlyCookie attribute to true in the web.xml file
Vulnerabl Code
- Setting http-only to false, then cookie is accessible from client script
Secure Code
- Setting http-only to true, then cookie is not accessible from client script
Cheng® 