Manual:$wgCookieHttpOnly

Details
Set authentication cookies to HttpOnly to prevent access by JavaScript, in browsers that support this feature. This can mitigate some classes of XSS attack.

PHP
This parameter is currently only supported on PHP 5.2 or higher, as HttpOnly support was added to setcookie and session cookie parameters in this version.

On PHP 5.0 or 5.1, $wgCookieHttpOnly defaults to off, and will be ignored if you manually enable it.

Browsers known to support HttpOnly

 * IE/Win 6 SP1 or 7
 * Firefox 2.0.0.5 or later
 * Opera 9.50 beta
 * Konqueror (3.4?)

Browsers known to ignore HttpOnly
Browsers that don't understand HttpOnly cookies should still store and use the cookie as normal, but will still expose them to JavaScript code.


 * Safari 3.1
 * Opera 9.27 (current non-Beta release)
 * Old scary browsers like IE for Mac and Netscape 4 ;)