Cookies set without the
httponly flag can be read by a client-side script, leading to cookie theft from Cross-Site Scripting (XSS) attacks.
setrawcookie function creates cookie with
httponly value to
false. It is recommended to explicitly set
true to prevent the risk.
In past it has led to vulnerabilities like:
Cross-Site Scripting (XSS) attacks target the theft of cookies set by application. If
httponly attribute is set to
true, it won't be possible to exploit the XSS vulnerability to steal application cookies.