Most of the application servers (WebLogic, WebSPhere) are not supporting HttpOnly Cookies
If you are not familiar with HttpOnly Cookies please see the posting of Jef http://www.codinghorror.com/blog/archives/001167.html
Currenlty there is no way to specify the session cookie as HttpOnly in most of the application servers.
However you can work aroud this weekness by implemeting a custome cookie which is HttpOnly and the same can be set and tracked by a Servlet Filter. First time when the session is established this (httpOnly) cookie also set and subsequent request will be rejected if it not submitted with this httpOnly cookie along with session cookie.
A sample Filter is available here - http://rejeev.googlepages.com/HttpOnlyCookieFilter.java