diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java
index 1ad128448ca..fe8dac9a37d 100644
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java
@@ -864,6 +864,17 @@ public class ServerProperties
 					.getIncludeStacktrace() == ErrorProperties.IncludeStacktrace.NEVER) {
 				customizeErrorReportValve(factory);
 			}
+			Cookie cookie = serverProperties.getSession().getCookie();
+			if (cookie.getHttpOnly() != null) {
+				factory.addContextCustomizers(new TomcatContextCustomizer() {
+
+					@Override
+					public void customize(Context context) {
+						context.setUseHttpOnly(cookie.getHttpOnly());
+					}
+
+				});
+			}
 		}
 
 		private void customizeErrorReportValve(
diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java
index c15666133b5..571af472e7b 100644
--- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java
+++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java
@@ -32,6 +32,8 @@ import javax.servlet.SessionTrackingMode;
 
 import org.apache.catalina.Context;
 import org.apache.catalina.Valve;
+import org.apache.catalina.core.StandardContext;
+import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.valves.AccessLogValve;
 import org.apache.catalina.valves.ErrorReportValve;
 import org.apache.catalina.valves.RemoteIpValve;
@@ -734,6 +736,18 @@ public class ServerPropertiesTests {
 				"spring-boot-*.jar");
 	}
 
+	@Test
+	public void customTomcatHttpOnlyCookie() throws Exception {
+		this.properties.getSession().getCookie().setHttpOnly(false);
+		TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
+		this.properties.customize(factory);
+		EmbeddedServletContainer container = factory.getEmbeddedServletContainer();
+		Tomcat tomcat = ((TomcatEmbeddedServletContainer) container).getTomcat();
+		StandardContext context = (StandardContext) tomcat.getHost().findChildren()[0];
+		assertThat(context.getUseHttpOnly()).isFalse();
+		container.stop();
+	}
+
 	@Test
 	public void defaultUseForwardHeadersUndertow() throws Exception {
 		UndertowEmbeddedServletContainerFactory container = spy(