Vulnerability scan shows positive for HttpOnly cookie, but is actually a false positive