<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
The HttpOnlyCookies attribute politely asks the web browser to not share a cookie with scripts or Applets. For session cookies, this attribute should always be true. As with the secure attribute, httpOnly can only be seen when a cookie is set in a response.
Modern browsers will prohibit scripts from reading the cookie value when this attribute is set. If scripts make requests to the web application (Ajax) , the browser will still include the cookie in the request, but the script never gets direct access to the cookie’s value.
While the requireSSL setting fixes the Firesheep problem by marking issued cookies as secure. ThelockItem attribute ensures that other web.config’s cannot override these settings.