Why doesn't document.cookie show all the cookie for the site?

I go to a forum which uses vBulletin 3.8. When I log in, I use firebug to see what cookies were set. I see these cookies:

> __utmb, __utmc, __utma, __utmz, bbsessionhash, vbseo_loggedin, bbpassword, bbuserid, bblastactivity, bblastvisit

They all had a value set, and the domain was identical.

But when I use JavaScript to view them, it only saw these cookies: > __utmb, __utmc, __utma, __utmz, vbseo_loggedin, bblastactivity, bblastvisit

In firebug, I only see these three cookies: bbsessionhash, bbpasword and bbuserid, that were actually set. HTTPOnly in column HTTPOnly. What does it mean and is that the reason I can't see those cookies in JavaScript using document.cookie?

From http://en.wikipedia.org/wiki/HTTP_cookie:

> Cookies are not directly visible to > client-side programs such as > JavaScript if they have been sent with > the HttpOnly flag. From the point of > view of the server, the only > difference with respect of the normal > case is that the set-cookie header > line is added a new field containing > the string HttpOnly': > > Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.net; HttpOnly> > When the browser receives such a > cookie, it is supposed to use it as > usual in the following HTTP exchanges, > but not to make it visible to > client-side scripts. > <s>TheHttpOnly` flag is not part of any standard, and is not implemented in all browsers.

Update from 2017: a lot of time had passed since 2009, and HttpOnly header flag is became a standard, defined in the section 5.2.6 of RFC6265, with the storage semantics described in the same document (look for "http-only-flag" throughout the RFC text).

There is no way to access anything about the HttpOnly cookies from "non-HTTP" APIs, e.g. JavaScript. By design, neither reading, nor writing such cookies is possible.