Can anyone offer me a workaround?
But more importantly why do you want to read an
HTTPOnly cookie? If you are a developer, just disable the flag and make sure you test your code for xss. I recommend that you avoid disabling this flag if at all possible. The
HTTPOnly flag and "secure flag" (which forces the cookie to be sent over https) should always be set.
If you are an attacker, then you want to hijack a session. But there is an easy way to hijack a session despite the
HTTPOnly flag. You can still ride on the session without knowing the session id. The MySpace Sammy worm did just that. It used an XHR to read a CSRF token and then perform an authorized task. There for the attacker could do almost anything that the logged user could do.
People have too much faith in the
HTTPOnly flag, XSS can still be exploitable. You should setup barriers around sensitive features. Such as the change password filed should require the current password. An admin's ability to create a new account should require a captcha, which is a CSRF prevention technique that cannot be easily bypassed with an XHR.