Fix cookie option docs

docs/components/framework/cookie.md

@@ -34,8 +34,8 @@ The following table describes the options for how the cookie is persisted within
 | -------- | ------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | expires  | <code>date</code>                                | [A date on which the cookie will expire](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_the_lifetime_of_a_cookie). If the date is in the past, then the browser will remove the cookie. |
 | maxAge   | <code>number</code>                              | The [number of seconds until the cookie expires](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#max-agenumber). `maxAge` takes precedence over `expires` if both are defined.       |
-| secure   | <code>boolean</code>                             | Whether to secure the cookie so that [client JavaScript is unable to read it](https://owasp.org/www-community/HttpOnly).                                                                                  |
-| httpOnly | <code>boolean</code>                             | Whether to secure the cookie so that the browser only sends it over HTTPS. Some browsers [don't work with secure cookies on localhost](https://owasp.org/www-community/controls/SecureCookieAttribute).   |
+| secure   | <code>boolean</code>                             | Whether to secure the cookie so that the browser only sends it over HTTPS. Some browsers [don't work with secure cookies on localhost](https://owasp.org/www-community/controls/SecureCookieAttribute).                                                                                   |
+| httpOnly | <code>boolean</code>                             | Whether to secure the cookie so that [client JavaScript is unable to read it](https://owasp.org/www-community/HttpOnly).   |
 | sameSite | <code>"lax" &#124; "strict" &#124; "none"</code> | Declares that the cookie should be restricted to a first-party or [same-site](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) context.                                     |
 | path     | <code>string</code>                              | Tells the browser that the cookie should only be sent to the server if it's within the [defined path](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#path_attribute).                          |
 | domain   | <code>string</code>                              | Secures the cookie so that it's only used on [specific domains](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#domain_attribute).                                                              |

docs/framework/hydrogen-config.md

@@ -160,9 +160,9 @@ export default defineConfig({
   session: CookieSessionStorage('__session', {
     /* Tells the browser that the cookie should only be sent to the server if it's within the defined path.  */
     path: '/',
-    /* Whether to secure the cookie so that the browser only sends it over HTTPS.  */
-    httpOnly: true,
     /* Whether to secure the cookie so that client JavaScript is unable to read it. */
+    httpOnly: true,
+    /* Whether to secure the cookie so that the browser only sends it over HTTPS.  */
     secure: process.env.NODE_ENV === 'production',
     /* Declares that the cookie should be restricted to a first-party or same-site context.  */
     sameSite: 'strict',

packages/hydrogen/src/foundation/Cookie/Cookie.ts

@@ -3,11 +3,11 @@ import {log} from '../../utilities/log';
 import {parseJSON} from '../../utilities/parse';
 
 export type CookieOptions = {
-  /** Whether to secure the cookie so that the browser only sends it over HTTPS. Some
-   * browsers [don't work with secure cookies on localhost](https://owasp.org/www-community/controls/SecureCookieAttribute).
+  /** Whether to secure the cookie so that [client JavaScript is unable to read it](https://owasp.org/www-community/HttpOnly).
    */
   httpOnly?: boolean;
-  /** Whether to secure the cookie so that [client JavaScript is unable to read it](https://owasp.org/www-community/HttpOnly).
+  /** Whether to secure the cookie so that the browser only sends it over HTTPS. Some
+   * browsers [don't work with secure cookies on localhost](https://owasp.org/www-community/controls/SecureCookieAttribute).
    */
   secure?: boolean;
   /** Declares that the cookie should be restricted to a first-party