The seraph.bamboo cookie does not use the HttpOnly or secure attributes. This increases impact from XSS and network based attacks. These attributes must be set, as is already the case with JSESSIONID.

If the HttpOnly attribute is set on a cookie, then the cookie’s value cannot be ready or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie’s value via an injected script. If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic.