Here is a copy of an issue i just opened on github.
It would be nice and make the site with kirby more secure, if the php session cookie is marked as HttpOnly and secure (for sites with https delivery).
Marking the cookie as HttpOnly should be default, because accessing the session cookie form javascript is a quite special usecase.
The secure mark should be set automatically if the config constant ssl is set true.
This is also somewhat connected to the issue #249, to not always start a session. And issue #267.