The HttpOnly flag can be set on a cookie returned from the server to stop it being accessed from Javascript in the browser, helping to reduce the change of Cross Site Server (XSS) attacks.
Always check the value of the IsHttpOnlyKnown property before using IsHttpOnly.