Why You Should Set HttpOnly at Logout Page
Firstly, my website can’t be accessed without a session established. After a session is established then the server would set cookies. However, if i assess the website without a session, my site will display a logout page. In this case, does the server need to set HttpOnly or the Secure flag in the response?
You should always set the cookie as HTTPOnly if your cookie contains sensitive information (such as personal info, session related info, session identifier etc.). This prevents JavaScript from accessing this cookie in case of an XSS bug in your website.
As far as Secure flag is concerned, you should set your SECURE cookie attribute if your clients communicate to the server over HTTPS. This prevents the client from sending your cookie over non-HTTPS communication.