cubicweb #4142521 support the httponly cookie flag [validation pending]

the httponly flag tells the browser not to expose the cookie to javascript (through document.cookie and xmlhttprequest). we should use that for session cookies.

https://www.owasp.org/index.php/HttpOnly

prioritynormal
typeenhancement
done in3.20.0
load0.250
load left0.000
closed by#1245357b3b3e [web] add support for HttpOnly cookie flag
patch[web] add support for HttpOnly cookie flag [applied]