This is an issue with how older versions of IE display if a cookie is set to HTTPOnly and other methods should be used to verify that setting(such as using Fiddler). In newer versions of IE if you delete the cache and check the response header's HTTPONLY column you should see it checked.