In Pulse Connect Secure and Pulse Policy Secure 9.0R3 or above, a new HTTPOnly session cookie option is available.
This option will create a new session cookie with HTTPOnly attribute along with DSID session cookie. The new session cookie along with DSID will be needed to restore a user session.
To enable this option, navigate to Users > User Roles > Select Role > Session Option. Under HTTP Only Device Cookie, select Enabled.
Please note, when enabling this option, only the new session cookie will have the HTTPOnly attribute. All other cookies will not included the HTTPOnly attribute. Security scanners will report these additional cookies are missing the HTTPOnly attribute and can be considered a false-positive.