After having set ek_HttpOnly to true in the web.config you may not see the HTTPONLY flag in Internet Explorer's F12 Developer Tools.
This is an issue with how older versions of IE display if a cookie is set to HTTPOnly and other methods should be used to verify that setting(such as using Fiddler). In newer versions of IE if you delete the cache and check the response header's HTTPONLY column you should see it checked.
<%= heading %>
