| ▲ | ddlsmurf 16 hours ago | |
if you set the cookier header right (definitely not always the case), this is true, but the javascript can still send requests that will have that cookie included, effectively still letting the hacker use the session as the logged in user | ||
| ▲ | collinmanderson an hour ago | parent [-] | |
with http-only they can't _steal_ the cookie, but they can still _use_ the cookie. It reduces the impact but doesn't fully solve it. | ||