Enable HttpOnly on session cookies

The SESSION_COOKIE_HTTPONLY setting has been set to False in !538 (merged), back when we tried to use websockets with Django Channels. As Django says,

There aren’t many good reasons for turning this off. Your code shouldn’t read session cookies from JavaScript.

code.vpn says we aren't reading the session cookie ourselves anywhere. We should restore this setting to its default value and see if it breaks anything.