7Oca
HTTPonly token without CSRF is safe?
How can a hacker steal my session where my form does not have CSRF tokens but my session cookies are HTTPonly? how would he get my session cookie in this case? is this possible?
for example, to be clearer, I have my session authenticated in the cookie (remembering the form does not contain CSRF token) but it "cannot" be accessed by JS, in this case how can a hacker take advantage of this?
