Session cookie without 'HttpOnly' Flag in daloRADIUS

The article provides technical details on a security issue discovered in daloRADIUS (https://github.com/lirantal/daloradius), along with the patch to apply for correcting the issue. In particular, all versions of daloRADIUS prior to the master branch transmit the session cookie (i.e. PHPSESSID) without setting the HttpOnly flag. The problem could cause JavaScript (e.g., using document.cookies) to access the PHPSESSID cookie value on the browser side.