Finally got to the bottom of this issue. I opened a ticket with the HP's software security response team (SSRT). Here is the reply to the specific vulnerability from Rapid7's Nexpose scan.
***************************************
From: HP SSRT Security Alert [mailto:security-alert@hp.com]
Sent: Wednesday, March 19, 2014 2:46 PM
Subject: Re: HP System Management Homepage (SMH) Missing HttpOnly Flag from Cookie
Hello,
Thank you for contacting the HP Software Security Response Team (SSRT).
HP Product Engineering for System Management Homepage (SMH) evaluated the Missing HttpOnly Flag from Cookie issue and has provided the following position statement…
The reported vulnerability i.e. Missing HttpOnly Flag from Cookie is a client
side defense mechanism and not a vulnerability, where HTTP-only cookies cannot be
accessed by client side script attack (XSS).
The HTTP-only cookies denotes the cookies that are not visible
through the DOM i.e. not permitting a script to access an HTTP-only cookie.
Thus, mitigating the risk of client side script accessing the protected cookie.
But, HTTP-only cookies do not prevent all XSS exploits and using them is *not a
substitute for eliminating XSS vulnerabilities*.
It is a setting which cannot be relied on as all the browsers do not
support it.
There is no way to control the version of the browser used by the end
user.
We have implemented sure ways of defending XSS attacks (server side input
validation, input and output encoding) in SMH which are server side settings
and prevent such attacks from taking place.
Thus the reported vulnerability Missing HttpOnly Flag from Cookie is not a
true vulnerability.
Yours truly,
Software Security Response Team (SSRT)
Hewlett-Packard Company
**********************************
So there you have it. Some times it's by design and the scan is just over reactive.
Just on a other side note while I was searching. If you turn this on, it could break some apps. In the Microsoft OWA world, breaks it. Apache and others alike, results may very.
Dirte