Also call setHttpOnly property on Tomcat context

Update `ServerProperties` to also call `setHttpOnly` on the
`TomcatContext`. It appears that this is required in addition to
using the `ServletContextInitializer` to setup `SessionCookieConfig`.

Closes gh-12580

Author: philwebb

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java

@@ -864,6 +864,17 @@ void customizeTomcat(ServerProperties serverProperties,
 					.getIncludeStacktrace() == ErrorProperties.IncludeStacktrace.NEVER) {
 				customizeErrorReportValve(factory);
 			}
+			Cookie cookie = serverProperties.getSession().getCookie();
+			if (cookie.getHttpOnly() != null) {
+				factory.addContextCustomizers(new TomcatContextCustomizer() {
+
+					@Override
+					public void customize(Context context) {
+						context.setUseHttpOnly(cookie.getHttpOnly());
+					}
+
+				});
+			}
 		}
 
 		private void customizeErrorReportValve(

spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java

@@ -32,6 +32,8 @@
 
 import org.apache.catalina.Context;
 import org.apache.catalina.Valve;
+import org.apache.catalina.core.StandardContext;
+import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.valves.AccessLogValve;
 import org.apache.catalina.valves.ErrorReportValve;
 import org.apache.catalina.valves.RemoteIpValve;
@@ -734,6 +736,18 @@ private void testCustomTomcatTldSkip(String... expectedJars) {
 				"spring-boot-*.jar");
 	}
 
+	@Test
+	public void customTomcatHttpOnlyCookie() throws Exception {
+		this.properties.getSession().getCookie().setHttpOnly(false);
+		TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
+		this.properties.customize(factory);
+		EmbeddedServletContainer container = factory.getEmbeddedServletContainer();
+		Tomcat tomcat = ((TomcatEmbeddedServletContainer) container).getTomcat();
+		StandardContext context = (StandardContext) tomcat.getHost().findChildren()[0];
+		assertThat(context.getUseHttpOnly()).isFalse();
+		container.stop();
+	}
+
 	@Test
 	public void defaultUseForwardHeadersUndertow() throws Exception {
 		UndertowEmbeddedServletContainerFactory container = spy(