Good information, it didn't occur to me that xss could be a problem for storing session id-s in a way that's visible to the browser.
On the other hand, if hackers get xss, they can still send ajax requests using the user's current session, or show a fake login prompt in your site's design or do a 1000 different bad things.
So http only cookie helps a bit, but you still really want to focus on preventing xss from happening in the first place.
Good information, it didn't occur to me that xss could be a problem for storing session id-s in a way that's visible to the browser.
On the other hand, if hackers get xss, they can still send ajax requests using the user's current session, or show a fake login prompt in your site's design or do a 1000 different bad things.
So http only cookie helps a bit, but you still really want to focus on preventing xss from happening in the first place.
Exactly the same bad.
Malicious source injected to get the storage or to execute request using the cookies with the httpOnly flag enabled