Ideally, all server-created cookies must be HttpOnly, without exceptions. Currently, Faces, FacesLocal and Servlets utility classes doesn't take into account this.
Updated #232 per recommendations in the PR comments.
As this is a potentially breaking change, I will implement it once 2.4 has been released and branch is ready for 2.5.
Fix #272: update javadoc after merge #232