Expand cookie_http_only Docs to Acknowledge Risks of Disabling HttpOnly

[nickytonline]

In a recent discussion, it was noted that some users may intentionally opt out of HttpOnly cookies, despite the security risks involved.

We should consider expanding the cookie_http_only section of the documentation to:

Acknowledge that some users may choose to disable HttpOnly cookies.

Clearly explain the associated security risks (e.g., increased vulnerability to XSS attacks).

Optionally include a security note or warning box highlighting the implications of this choice.

Reference comment: #1861 (review)