As far as I can tell in master right now SESSION_COOKIE_HTTPONLY = True which should add httponly to all session cookies.
As far as I can tell in master right now SESSION_ COOKIE_ HTTPONLY = True which should add httponly to all session cookies.