added httponly true by default, updated readme

README.md

@@ -22,7 +22,7 @@ API
         cookie: {
           path: '/api',
           httpOnly: true, // defaults to true
-          secure: true    // defaults to true
+          secure: false   // defaults to false
         }
       }));
 

lib/cookie-session.js

@@ -193,6 +193,19 @@ var cookieSession = function(opts) {
   
   opts.cookieName = opts.cookieName || "session";
 
+  // set up cookie defaults
+  opts.cookie = opts.cookie || {};
+  if (typeof(opts.cookie.httpOnly) == 'undefined')
+    opts.cookie.httpOnly = true;
+  
+  // let's not default to secure just yet,
+  // as this depends on the socket being secure,
+  // which is tricky to determine if proxied.
+  /*
+  if (typeof(opts.cookie.secure) == 'undefined')
+    opts.cookie.secure = true;
+    */
+
   // support for maxAge
   if (opts.cookie.maxAge) {
     opts.cookie.expires = new Date(new Date().getTime() + opts.cookie.maxAge);

test/all-test.js

@@ -86,6 +86,9 @@ suite.addBatch({
     },
     "with a path attribute": function(err, res) {
       assert.match(res.headers['set-cookie'][0], /path/);
+    },
+    "with an httpOnly attribute": function(err, res) {
+      assert.match(res.headers['set-cookie'][0], /httponly/);
     }
   }
 });