Details
The httpOnlyCookies attribute of the httpCookies node determines if IIS will set the HttpOnly flag on HTTP cookies it sets. The HttpOnly flag indicates to the user agent that the cookie must not be accessible by client-side script (i.e document.cookie). It is recommended that the httpOnlyCookies attribute be set to true.
When cookies are set with the HttpOnly flag, they cannot be accessed by client side scripting running in the user’s browser. Preventing client-side scripting from accessing cookie content may reduce the probability of a cross site scripting attack materializing into a successful session hijack.
NOTE: This section requires ASP.NET, but ASPNET45 and .Net Extensibility have not been found.
Supportive Information
The following resource is also helpful.
This control applies to the following type of system Windows.