It was observed that the HTTPOnly and Secure attributes are set to no in the session cookie of the application.
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic.
If HttpOnly flag is not set for a given cookie then the cookie can be accessed via client-side scripts and thus may lead to exposure of sensitive information stored in the cookies to unintended parties.
Release : 14.4
Component : IdentityMinder(Identity Manager)
3rd Party Issue
Refer to the following link with official info
In case you don't have RedHat subscription for Jboss, You can try the following
<subsystem xmlns="urn:jboss:domain:undertow:4.0">... <servlet-container name="default">... <session-cookie http-only="true" secure="true" /></servlet-container>...</subsystem>
and restart Jboss.