Cookies/Flags/HttpOnly

This flag indicates that a cookie can't be accessed through means other than HTTP transmission. That is, no Javascript, Flash or whatever client-run technique can access this cookie, i.e. it is not to be accessed by the client directly.

This flag protects the cookie from cross-site scripting attempts to steal the cookie (as could be done to steal a session).