Can a user read my session cookies?

When you create a landing page you can also use JavaScript code. When you have a free account the landing page will have an URL like this http://free.qrplanet.com/your-landing-page. When another user creates a landing page with JavaScript code and you call his URL e.g. http://free.qrplanet.com/another-landing-page when you are logged in a warning will be displayed to protect your account from cookies being stolen.

Sensitive cookies like session cookies are protected with HttpOnly. An HttpOnly Cookie prevents client-side scripts from accessing data.

Another layer of protection is the Content Security Policy (CSP) which prevents scripts being loaded or data sent to third party servers which are not white listed.