did you have a look at the following post: https://forum.mendix.com/link/questions/95740?
And as well the following on stackoverflow:
HttpOnly attribute of the cookie, as that would otherwise defeat the meaning of
Googleing this comes up with some warnings.
Hope this helps.
Our company security guidelines also describe this setting. Unfortunately, this is not possible at the moment. I submitted a feature request to enable this: https://forum.mendix.com/link/ideas/2187 You can upvote this if you want.