The HttpOnly session cookie is supported by most modern browsers.<ref name="httponlybrowsers">OWASP [https://www.owasp.org/index.php/HttpOnly#Browsers_Supporting_HttpOnly Browsers Supporting HttpOnly]</ref><ref name="httponlyrfc">IETF [http://tools.ietf.org/html/rfc6265 HTTP State Management Mechanism – Apr, 2011] Obsoletes RFC 2965.</ref> On a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs (such as JavaScript). This restriction mitigates but does not eliminate the threat of session cookie theft via [[Cross-site scripting]].<ref name="httponlyprotection">Article on HttpOnly [http://bottiger.org/wrote/5-HTTP-Only-cookies-Brought-to-you-by-Internet-Explorer-6]</ref>. It is important to realize this feature applies only to session-management cookies, and not other browser cookies.
