HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie.
If the HttpOnly flag is included in the HTTP response header, the cookie cannot be accessed through client side script.
If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result.
Cookie cookie = getMyCookie("myCookieName");
cookie.setHttpOnly(true);