I am running compliance check on my web application and there was a vulnerability saying cookie doesn't contain httpOnly. I am using tomcat 7.0.27. I assume from the posts that tomcat 7+ by default have this flag as true.

I have also explicitly set it on my context as true. I have also set the session-config / cookie-config as secure.

But still I get the same vulnerability. I am confused.

Can someone help me out please?

Thanks & Regards