The default as installed with new setups starting in late 2014 is the value httpOnly. Prior to the introduction of this option, the sessionKey was sent and managed in http get request so that it could be visible to the user and possible someone trying to steal the session.
no |
Session keys are sent and managed in the source and javascript |
yes |
Session keys are not available and a cookie is used to bridge from requests back to the server. |
httpOnly |
Same as yes, with the added restriction that javascript cannot query the cookie value so that the sessionKey cannot be read. |
secure |
Same as yes -- can be combined with httpOnly for the highest level of security. Including this option in the setting prevents any use of a session over a link that is not protected with TLS/SSL (HTTPS protocol) |
