ASP.NET session cookies are HTTP only, regardless of the httpOnlyCookies
setting linked to in your question, because this is burned into ASP.NET. You can’t override this.
If you dig into the System.Web.SessionState.SessionIDManager
class in the System.Web assembly the code for creating the ASP.NET session cookie looks like:
private static HttpCookie CreateSessionCookie(string id)
{
HttpCookie cookie = new HttpCookie(Config.CookieName, id);
cookie.Path = "https://stackoverflow.com/";
cookie.HttpOnly = true; // <-- burned in
return cookie;
}