Cookies
Cookies
HttpOnly
These are cookies that can be set by the server or by javascript but cannot be accessed in any way by javascript.
With the HTTPOnly parameter enabled, it is very difficult to steal a session through XSS because the javascript cannot read the content of these cookies.
A widely exploited attack in XSS is the theft of user session cookies. Theft of cookies is carried out through a javascript command that sends cookies to an external URL where the attacking user has control.
This option is enabled by default in all applications.
Session ID
Enables the session id that will be stored in cookies on the client side. This option embeds the session id directly in the URLs
This option is enabled by default in all applications.
Cookie Secure
With this option enabled, cookies are protected and can only be transmitted via secure communication. Therefore, they cannot be accessed through Javascript.
The HttpOnly option must also be enabled.