One missing flag on a cookie enables session hijacking, and I almost glossed over it

I am documenting every day of my cybersecurity learning journey publicly. This is Day 5. Previous posts are on my profile. What was covered today DNS record types in depth, TryHackMe HTTP in Detail and DNS in Detail rooms, Python chapters 1 and 2 from Automate the Boring Stuff, and writing and running my first Python script in Kali Linux. The thing about cookies I almost missed I was working through the TryHackMe HTTP in Detail room and hit the section about cookies. I already understood roughly what cookies were — they store your login session, so you do not have to log in on every page. What I did not understand was the security flags. Specifically HttpOnly. Here is what HttpOnly does: when a cookie has the HttpOnly flag set, JavaScript cannot read it. That sounds like a minor technical detail. It is not. If a website has a cross-site scripting (XSS) vulnerability — meaning an attacker can inject JavaScript into a page — and your session cookie does not have HttpOnly set, that inject