My worklight app connects to a java web application using a HTTP Adapter for user authentication.
The server returns a JSSESSIONID which can be accessed in the app as a cookie. However, the cookie is marked as HttpOnly so it cannot be accessed via JavaScript.
From this question: how to get jsessionid shown in browser console in worklight, it seems Worklight is flagging the Cookie as HttpOnly.
Can I remove the HttpOnly attribute from worklight?
Indeed the HttpOnly additional flag is added by Worklight. The HttpOnly flag helps in mitigating the risk of client-side script accessing the protected cookie. Worklight does not offer the ability to remove this additional flag.
That said, while you cannot access it via JavaScript, you could access it in native code (Java).
Another question to ask is why do you need to access it to begin with.
See here: Getting session from HttpAdapter to Java based Adapter