6👍
✅
The cookie you have highlighted in the screenshot is not the session cookie, it’s the csrf cookie. There is a separate setting CSRF_COOKIE_HTTPONLY for this cookie. Unlike SESSION_COOKIE_HTTPONLY, CSRF_COOKIE_HTTPONLY defaults to False, so you need to add it in your settings.
CSRF_COOKIE_HTTPONLY = True
Note that setting the csrf cookie to http only will make it trickier to do ajax post requests. Instead of using the cookie, your javascript will have to pull the csrf token from the page instead.
Source:stackexchange.com