#16 cosignhttponlycookies undocumented and off by default

[Geoff Lee]

cosignhttponlycookies is a directive added in v3.2 which causes the filter (and CGI, I think) to add the 'HttpOnly' flag to cosign cookies. This feature appears to be complete but largely undocumented and is off by default.

The HttpOnly flag provides a useful mitigation against session stealing in the event that a service is compromised by XSS and it seems sensible to have this feature documented and turned on by default.