Before going in depth criticizing the HttpOnly session protection mechanism I better explain what it is and why it is useful. HttpOnly is a session protection mechanism, as we established from the previous paragraph, which is used in situations where the session cookie is not required to be available inside the application DOM. Session identifiers are responsible for keeping the state between the