A non HTTP-only cookie allows JavaScript on the page to read the session cookie, which may lead to session stealing in the case of an XSS.
package main
import (
"net/http"
"github.com/gin-contrib/sessions"
)
func foo(store sessions.Store) {
store.Options(sessions.Options{HttpOnly: false})
}
package main
import (
"net/http"
"github.com/gin-contrib/sessions"
)
func foo(store sessions.Store) {
store.Options(sessions.Options{HttpOnly: true})
}