Support for httponly session cookies
Implementation could be like session.secure. If possible in trunk and in 3.1
I may provide a diff file if useful.
Reported by samuel.iseli at vertec.com