When persistence profile is configured using the HTTP Cookie Type, it is seen that the cookies being sent to the pool servers do not have the "HTTPOnly" attribute set, even though the HTTP Application Profile used by the virtual service has the "HTTP-Only" parameter set.

When using the persistence profile type of "HTTP Cookie", the setting to add "HTTPOnly" attribute to the persistence cookies is configured within the persistence profile settings, not the HTTP Application Profile settings.
The "HTTP-Only" cookies setting in the HTTP Application profile is not used in this case.

To enable the HTTPOnly setting for the persistence cookies, it currently needs to be configured through the CLI.

To verify the current HTTP-Only setting in the persistence profile:

- SSH to the controller leader node and type shell to enter the Avi shell (and authenticate).

- Then enter the following command to view the persistence profile settings:

show applicationpersistenceprofile <profile name>

If http_only is set to False like in the screenshot below, or you do not see a value for http_only, then this setting needs to be set to True for HTTPOnly to be added to persistence cookies.

To change the setting to True, enter the following commands through the shell:

> configure applicationpersistenceprofile <profile name>

applicationpersistenceprofile> http_cookie_persistence_profile

applicationpersistenceprofile:http_cookie_persistence_profile> http_only

Overwriting the previously entered value for http_only

applicationpersistenceprofile:http_cookie_persistence_profile> save

applicationpersistenceprofile> save

>