HttpOnly is a flag that you can append to cookies which makes it a little bit harder for cookie harvesting attacks (e.g. via XSS) to steal your valuable cookies containing authentication tickets or session IDs. I wrote about it here before.

ASP.NET 2.0 now features a HttpOnly property on the HttpCookie class which adds the flag when set to true. Session and authentication cookies always have this flag set. You can also configure the default behaviour of your manually issued cookie by using this configuration element:

<httpCookies httpOnlyCookies=“true“ />

Unfortunately, this is not the default setting and you have to configure that manually in your web.config.