I found all the tracking cookies of Piwik not having set httpOnly to ‘true’. The default value is ‘false’ in the class ‘Cookie’. I have found no way to configure this.
Is there a reason why the value of httpOnly is ‘false’? Is it ok too change this to ‘true’?
Hmmm…well, I am not sure but I think it is a cookie set by PHP. If it helps, I am talking about cookies with a name like _pk_id.1.91db and _pk_ses.1.91db.
What Matthieu mentioned is still true: httpOnly means that the cookie is impossible to read or modify via Javascript. But this is incompatible to the fact that the cookie will be set by the tracking code in Javascript