Added support for secure and HttpOnly cookies

[rasulsafa]

No description provided.

[meisser]

Why is this closed?

I'd love to see this.

[rasulsafa]

Hm, I made this pull request almost three years ago - I don't really remember why I closed it. I'll make a small tweak and reopen it.

[rasulsafa]

I don't have time to test this until the weekend so if you or someone else would like to that would be great.

[luziusmeisser]

Thanks for reactivating. I got the cookies working, but it was a very painful experience. There are many things that need to be done just right in order for a modern browser to accept the cookie in a cross-site environment.

For those who are interested in what it takes besides setting the secure flag:

		res.addHeader("Access-Control-Allow-Origin", session.getHeaders().get("origin"));
		res.addHeader("Access-Control-Allow-Credentials", "true");

And then of course you also need to handle the pre-flight OPTION request:

if (session.getMethod() == Method.OPTIONS) {
Response resp = NanoHTTPD.newFixedLengthResponse("");
resp.addHeader("Access-Control-Allow-Methods", "OPTIONS, POST, GET";
resp.addHeader("Access-Control-Allow-Headers", "X-PINGOTHER, Content-Type");
return resp;
}

Furthermore, the browser might demand the domain to be set in the cookie.

All in all, it takes much more than just the secure flag to get it working. But I'm not sure inhowfar NanoHTTPD should support it. Its not called MicroHTTPD after all. :)