A flag you set on a cookie that stops JavaScript from reading it. Session cookies use it so that even if an attacker sneaks malicious code onto your page, they still can't steal the session.