Add secure flag to cookie for HTTPS sites

[mberkowski]

While assisting with a site that has incorporated this project, I noticed that the CSRF cookie is set without the secure flag. As a feature request, consider setting the secure flag in the setcookie() call when the code can detect it is running under HTTPS (via $_SERVER['HTTPS'] for example) or as a configurable option.

[mebjas]

Yeah that's good if the application is https only, which sadly isn't a generic case as of now. Check this thread #48, there was a PR for the same. You could use it though if the app is actually https only.

[mberkowski]

The tight coupling to port 443 is problematic in that PR. There is risk though for sites that aren't guaranteed https all the time, so perhaps a default-off configuration option instead.

[mebjas]

yeah it can be made configurable with default off.

[mebjas]

feel free to send a PR, with config value as something like httpsOnly let's say

[mebjas]

Implemented with 6f12262