HttpOnly
is not what you think it is. Its sole purpose its to tell browsers to specifically not expose the cookie to script, and only use it at the HTTP level.
Nothing can prevent a cookie to be forged by the client. There are a few ways to prevent cross-site request forgery (CSRF) by so-called session fixation attacks, but HttpOnly
is not one of them. HttpOnly
helps with cross-site scripting (XSS), so that if the page includes a malicious 3rd-party script, it cannot read the cookie to send it to a 3rd-party server —probably to use it later for a session fixation attack, but that's only possible if your site is vulnerable to them—.