Why document.cookie hasn't show all the cookie in the site???

Question

I go to a forum which was use vBulletin 3.8. When i login, i use firebug to see what cookies was set. I see those cookie: __utmb, __utmc, __utma, __utmz, bbsessionhash, vbseo_loggedin, bbpassword, bbuserid, bblastactivity, bblastvisit

They all were set value, and those domain was same.

But when i you javascript to see them, it only saw those cookie: __utmb, __utmc, __utma, __utmz, vbseo_loggedin, bblastactivity, bblastvisit

In firebug, i saw 3 cookie: bbsessionhash, bbpasword, bbuserid was set HTTPOnly in column HTTPOnlY. What does it mean? And is it was the reason i can see those cookien in javascript by document.cookie ???

Thanks for reading.

Answer 1

From http://en.wikipedia.org/wiki/HTTP_cookie:

Cookies are not directly visible to client-side programs such as JavaScript if they have been sent with the HttpOnly flag. From the point of view of the server, the only difference with respect of the normal case is that the set-cookie header line is added a new field containing the string `HttpOnly':

Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.net; HttpOnly

When the browser receives such a cookie, it is supposed to use it as usual in the following HTTP exchanges, but not to make it visible to client-side scripts. The HttpOnly flag is not part of any standard, and is not implemented in all browsers.