Kate's suggested looking at using HttpOnly cookies if possible as a mitigation
against potential XSS attacks stealing credentials.
This is an extension in IE 6.0 SP1 which can mark cookies so that they can't
be retrieved from JavaScript code. In combination with shutting off the TRACE
method in Apache, this could make it difficult/impossible for an XSS exploit
to take the session or auth token cookies and send them to a third party.
This may or may not be worthwhile; an attacker able to exploit it would already
be able to do quite a bit of damage just by issuing more requests from that
session.
Other browsers _probably_ just ignore this HttpOnly attribute, but they might
be affected negatively, so testing would also be required.
Version: 1.6.x
Severity: enhancement
URL: http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp