The Cookie.Cookie class does not allow the new "httponly" cookie property to be set. It needs to be added to the valid slots on the cookie metaclass. Also note that like the "secure" cookie attribute, it is simple a boolean flag without any value.
The mod_python session object should also explicitly set the HttpOnly property on the cookies it creates.
See also these related references: