When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies.
If the HttpOnly flag (optional) is set, the cookie cannot be accessed through client-side script (again, if the browser supports this flag). As a result, even if a Cross-Site Scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.
It is possible to steal or manipulate sessions and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user.