ASP.NET session cookies are HTTP only, regardless of the httpOnlyCookies setting linked to in your question, because this is burned into ASP.NET. You can't override this.
Source: Accepted answer at How is HttpOnly get set for ASP.NET_SessionId cookie?
I am unable to see that flag in browser when response is received. Application web.config does not have httpCookies element defined nor is HttpOnly property set to false in Global file.
However, in the pen test report, it talks about using unsecure asp.net session cookie, I can see the HttpOnly flag for the same request. See below:
Again, I am not asking about cookie security or pen test issue itself. I am just wondering why browser is not showing flag. Tried in IE and Chrome both.
