When a cookie is configured with the ``++HttpOnly++`` attribute set to _true_, the browser guaranties that no client-side script will be able to read it. In most cases, when a cookie is created, the default value of ``++HttpOnly++`` is _false_ and it's up to the developer to decide whether or not the content of the cookie can be read by the client-side script. As a majority of Cross-Site Scripting (XSS) attacks target the theft of session-cookies, the ``++HttpOnly++`` attribute can help to reduce their impact as it won't be possible to exploit the XSS vulnerability to steal session-cookies.
