The distributed SSO session store cookie (default name “saml-session”) is by default not set to be HTTP Only and there isn’t a property on the type ComponentSpace.Saml2.Bindings.CookieOptions that allows this to be overridden.

Is there are reason that the cookie has to be available to client-side JavaScript?

If not, could you advise if there’s a way of configuring this without manually re-writing the Set-Cookie header ourselves?

Support for setting HTTP Only was added in the current release (v2.0.6).
For example:

using ComponentSpace.Saml2.Bindings;
using ComponentSpace.Saml2.Configuration;
using ComponentSpace.Saml2.Session;

// Make the SAML session cookie HTTP only.
services.Configure(options =>
options.CookieOptions = new CookieOptions()
HttpOnly = true

// Add SAML SSO services.

We’ll default to HTTP Only in the next release (v2.0.7).