comments (not for humans)
The new version of Firefox supports HttpOnly cookies. Unfortunately though, as Rsnake has written about here, the implementation has a vulnerability. Call getAllResponseHeaders() on an XMLHttpRequest object reveals the cookie.[...]
Just read Kyan's post about Opera 9.5 including support for HttpOnly cookies. Nice.[...]
I just read an article on cookies in regular ASP, which explains some of the concerns related to session cookies. In this post I'll explain how this works in ASP.NET.
[...]
Vidar wrote an interesting article pointing me to HTTPOnly-cookies. Microsoft created this extension to the cookie standard, to allow servers to issue cookies with a special HttpOnly-flag. This flag makes the cookie inaccessible to javascript in supported browsers (currently only newer versions of IE supports this feature fully).
[...]
You may sometimes need to set or retrieve cookies on axis connections to transfer authentication tokens or similar.
[...]