I am running compliance check on my web application and there was a vulnerability saying cookie doesn't contain httpOnly. I am using tomcat 7.0.27. I assume from the posts that tomcat 7+ by default have this flag as true.
I have also explicitly set it on my context as true. I have also set the session-config / cookie-config as secure.
But still I get the same vulnerability. I am confused.
Can someone help me out please?
Thanks & Regards