I'm setting a cookie to HttpOnly in the Node layer of an Express + VueJS application before the response from the user login endpoint is dispatched as follows:
res.cookie('ms-sso', response.session.token, { httpOnly: true })
Based on going to Chrome > Application > Cookies, it appears that setting the cookie to HttpOnly in this fashion works:
However, it was my understanding that these cookies cannot be updated and/or accessed from the client-side, only the server-side. Yet from within the client-side code, I'm able to do something like this:
document.cookie = `ms-sso=banana`
console.log(document.cookie) // shows `ms-sso=banana` in the console
Nevertheless, when I type in and enter document.cookie in the console, it shows "" as expected. Am I misunderstanding the definition of being editable with HttpOnly turned on and all of these observations are expected behavior?
