Chrome developer tools > resources > cookies > http column, does a checkmark here indicate HttpOnly cookie?
Yes. Enter document.cookie in the console, and you'll see that none of the checked cookies are visible.
HTTP = HttpOnly flag, Secure = secure flag.
Yes. Right click on your page or press F12 button. This will open developers tools window. Go to application tab. It'll show as follow :-
Now, typing document.cookie on the tab, you'll see only csrf token being shown.
To specify session cookies to be httpCookie by default, set 'useHttpOnly' attribute in context.xml in tomcat, for java web application. For more information, refer to http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes
So 2 things .
1) HTTP only cookie this name is a bit misleading as we can send HTTPOnly cookie over HTTPS and it works perfectly fine. Main characteristics of HTTP Only cookie is it can't be accessed using JavaScript . In-fact You can't even manually edit this in Chrome's Application tab.
2) So how you can edit HTTP Only cookie ? In chrome You can use extension to edit cookie while development . In production mode there is no way you can adultrate this without man in the middle attack on HTTP connection.