Session cookies are set without the HttpOnly flag, making them accessible to client-side JavaScript and vulnerable to theft via cross-site scripting attacks.
If an XSS vulnerability exists, an attacker could use JavaScript to read session cookies and hijack user sessions, leading to account takeover.
Set the HttpOnly flag on all session cookies and cookies that do not need client-side JavaScript access. Combine with Content Security Policy to further mitigate XSS-based cookie theft.