diff --git a/web/src/main/java/org/springframework/security/web/jackson2/CookieDeserializer.java b/web/src/main/java/org/springframework/security/web/jackson2/CookieDeserializer.java
index 29a4ca231b..d4123a8188 100644
--- a/web/src/main/java/org/springframework/security/web/jackson2/CookieDeserializer.java
+++ b/web/src/main/java/org/springframework/security/web/jackson2/CookieDeserializer.java
@@ -52,7 +52,7 @@ class CookieDeserializer extends JsonDeserializer<Cookie> {
 		cookie.setVersion(readJsonNode(jsonNode, "version").asInt());
 		cookie.setPath(readJsonNode(jsonNode, "path").asText());
 		JsonNode attributes = readJsonNode(jsonNode, "attributes");
-		cookie.setHttpOnly(readJsonNode(attributes, "HttpOnly").asBoolean());
+		cookie.setHttpOnly(readJsonNode(attributes, "HttpOnly") != null);
 		return cookie;
 	}
 
diff --git a/web/src/test/java/org/springframework/security/web/jackson2/CookieMixinTests.java b/web/src/test/java/org/springframework/security/web/jackson2/CookieMixinTests.java
index 0e8cdfd032..3b14b222ee 100644
--- a/web/src/test/java/org/springframework/security/web/jackson2/CookieMixinTests.java
+++ b/web/src/test/java/org/springframework/security/web/jackson2/CookieMixinTests.java
@@ -52,7 +52,7 @@ public class CookieMixinTests extends AbstractMixinTests {
 		"	\"@class\": \"jakarta.servlet.http.Cookie\"," +
 		"	\"name\": \"demo\"," +
 		"	\"value\": \"cookie1\"," +
-		"	\"attributes\":{\"@class\":\"java.util.Collections$UnmodifiableMap\", \"HttpOnly\": \"true\"}," +
+		"	\"attributes\":{\"@class\":\"java.util.Collections$UnmodifiableMap\", \"HttpOnly\": \"\"}," +
 		"	\"comment\": null," +
 		"	\"maxAge\": -1," +
 		"	\"path\": null," +