The default as installed with new setups starting in late 2014 is the value httpOnly. Prior to the introduction of this option, the sessionKey was sent and managed in http get request so that it could be visible to the user and possible someone trying to steal the session.
Value |
Description |
Session Keys Visible |
Session keys are sent and managed in the source and javascript |
Session Keys Hidden |
Session keys are not available and a cookie is used to bridge from requests back to the server. |
|
Same as Session Keys Hidden, with the added restriction that javascript cannot query the cookie value so that the sessionKey cannot be read. (default) |
Hidden Keys - Enforced HTTPS |
Same as yes -- can be combined with httpOnly for the highest level of security. Including this option in the setting prevents any use of a session over a link that is not protected with TLS/SSL (HTTPS protocol) |
Hidden, No Javascript, Enforced HTTPS |
Most Secure - Combines Hidden Session Keys, No Javascript Access and HTTPS only for connections. |
