Yes, there are cases where you don‘t want HTTP ONLY or SECURE.
The Secure flag is more important. If we expect all sites to run over https, and only https, then the only http part is a redirect to https. You never want your cookie sent in the clear. Well, almost never. Here are two cases where you might:
- development environments often don‘t have, or don‘t need to have TLS certs (though maybe they should).
- to track activity that originated on http. You might even use your load balancer to set an insecure cookie before it sends back the redirect. Then your application analytics can track which URLs came in as HTTP. Your load balancer can track which sessions came in as http.
UPDATE - TLS in Development
A lot of talk about whether you should or shouldn‘t use TLS in development. Posted the question here: