Missing HTTPOnly Cookie Attribute in Laravel 7


I have a Laravel site, I thought I patched this issue already.

I got these in my session.php

'secure'    => true, 'http_only' => true, 

But OpenVas still detected that I still need to it.

enter image description here

It also listed it 3 times

enter image description here

Am I missing anything else ? or this is a potential false positive from OpenVas ?