When the server side sends back to the client HTTP headers that instructs the client to create a new cookie (or update a cookie that already exists), the cookie on the client side can be accessed using code written in JavaScript.
HttpOnly cookies cannot be accessed using code written in JavaScript. In order to create a new cookie (or update a cookie that already exists), which is an HttpOnly cookie, the HTTP header that instructs the client to create (or update) a cookie should include the HttpOnly additional flag.
Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]
When developing our server side in PHP we can easily create an HttpOnly cookie. We just need to pass over the value true to the httponly parameter of the setcookie method.
bool setcookie (string $name [, string $value [, int $expire = 0 [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]]]] )
The session cookie can be configured to be httponly through the php.ini file by referring the cookie_httponly property of the session and assigning it with true.
session.cookie_httponly = true;
We can alternatively call the session_set_cookie_params function and pass over true to the httponly parameter.
void session_set_cookie_params (int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] )