The HttpOnly attribute has been added to the Session cookie generated by ASP.NET 2.0. This value is hardcoded and cannot be changed via a setting in the application. While this is documented as a breaking change in the breaking changes document (linked below), it's not clear the types of symptoms you will see in your application, nor is the fix clearly stated.
void Application_EndRequest(object sender, EventArgs e)
You could also roll this into a custom HttpModule to apply it across multiple applications if necessary.
Link to breaking changes document:
Link to HttpOnly Attribute:
Link to HttpModule documentation:
Special thanks to Shai Zohar for helping isolate the issue as well as testing the above solution.