Manual:$wgCookieHttpOnly

Details
Set authentication cookies to httpOnly to prevent stealing by JS, in browsers that support this feature.

Will only work on PHP 5.2+