There are multiple ways to secure cookie in your application, but the easiest way is always at network edge like F5. Following example is given based on your Web Application cookie start with JSESSIONID. If you have something else, you can modify accordingly. The following will add HTTPOnly and Secure flag in Set-Cookie starting with JSESSIONID in header response.
To implement using iRule
Create irule with following
Associate irule to respective Virtual Server
To verify
You can use any web developer tool to view Response headers and ensure you see following. You can also use HTTP Header online tool to confirm this. Interested in learning more about F5 administration? Check out this online course by Tyco Taygo.