Understanding and prevent cookie hijacking using HttpOnly flag http://www.troyhunt.com/2013/03/c-is-for-cookie-h-is-for-hacker.html