Here is a copy of an issue i just opened on github.
It would be nice and make the site with kirby more secure, if the php session cookie is marked as HttpOnly
and secure
(for sites with https delivery).
Marking the cookie as HttpOnly
should be default, because accessing the session cookie form javascript is a quite special usecase.
The secure
mark should be set automatically if the config constant ssl
is set true.
This is also somewhat connected to the issue #249, to not always start a session. And issue #267.