We can't access HTTPOnly cookies using the
document.cookie API. Browser, however, has access to that because it keeps it in the response Header and the person who uses that machine can always see it.
Just imagine that I want to forward this to another site intentionally for using the same session, I could create a URL which sends this information as a response instead.
But wouldn't that mean I am basically creating the same vulnerability in my web application which
HTTPOnly is trying to prevent malicious scripts from exploiting? There is an additional need of knowing the URL before-hand, so instead of a script which is hard-coded with
document.cookie, it should have to be tailor-made for that website with the URL which might give the session cookie.
So, is it actually a good thing to do? Is there any way to intentionally do session sharing if
HTTPOnly is set? Or is it like I just can't best of both worlds?