Please review my http_only patch for the CookieStore

Hi,
In a security review of our application I realized that the the
CookieStore cookie wasn't using a HttpOnly cookie. I thought I had
seen HttpOnly cookies somewhere in rails and found that Rails cookie
support does support it, it was never brought forward to the actual
CookieStore.

http://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/1046-http-only-cookies-in-cookiestore

While the cookie store is tamper proof. Abusive Javascript could still
remove the session cookie or cause a TamperedWithCookie exception.

This patch exposes a configuration parameter :session_http_only which
defaults to true. This sets the HttpOnly flag on the cookie from the
CookieStore.

The patch itself is pretty simple and allows you to turn off HttpOnly
if necessary.

Pelle