# `react-doctor/insecure-session-cookie`

Auth cookie missing HttpOnly protection

- **Category:** Security
- **Severity:** warn
- **Source:** oxlint-plugin-react-doctor
- **Framework:** global
- **Enabled when:** always

## Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Confirm the reported code matches Auth cookie missing HttpOnly protection. Check the framework context and diagnostic message before suppressing it.

## Fix prompt

Use this once validation confirms the diagnostic is real.

Set auth/session cookies server-side with `httpOnly: true`, `secure: true`, and `sameSite`. Cookies set via `document.cookie` or with `httpOnly: false` are readable by any XSS payload and can be stolen.
