Mr. Farshad:
I was investigate about security issues because a auditoring in my customers.
I see that UniGui doesn't have Session Cookies, then is no problem the use of the parameter HttpOnly for the cookies.
I realice that have a javascript variable _S_ID with the Session ID value.
The HttpOnly parameters is to avoid a maliciosus javascript to get/set the Session Cookie ID, but implemening with a JavaScript Variable is more modificable and have not a way to avoid this. I'm right?
About CSRF attacks I want to ask if they are implemented a issue to avoid this type of attack.
Best Regards