Hi
HTTP Only : cookie is accessible to browser only, and not to evental scripts run withing the browser. Basically, if you app is a standard web app, without too much client side javascript processing, checking this should be OK
Always sent : I didn't try in on my lab, but this is to send the session cookie in every response or only in the first. According to that article, if the cookie as an expiration date (IE session cookie is not checked"), it is anyway sent in every response with the expiration date updated regardless of the Always Sent Setting.
https://devcentral.f5.com/questions/cookie-persistence-quotalways-send-cookie-quot-option
Hope this helps :)