Set HttpOnly in the `experimentation_subject_id` cookie

The cookie experimentation_subject_id isn't set with the flag HttpOnly.

For example, the _gitlab_session cookie has that.

Set-Cookie: _gitlab_session=a534xxxxxxxx5145f80; path=/; expires=Thu, 24 Oct 2019 10:27:50 -0000; secure; HttpOnly

This flag mitigates a set of security issues. For more info, please read https://www.owasp.org/index.php/HttpOnly