"secure" and "httponly" flags for cookies (improved security)

These flags are essential for security. The problem we are trying to
solve is the following:
1) you visit a wiki using HTTPS and you set your password.
2) you accidentally visit the same website using plain HTTP
3) although you don't notice, your cookies are sent over the insecure
connection.
Even if that website has redirection, even it denies any insecure
traffic, your cookie is still leaked. That's how cookies work.

"secure" and "httponly" flags solve this. It means that these cookies
will only be sent over a secure connection. If you have set your
password using HTTPS and later you visit the same wiki using plain HTTP,
it will look like you are not logged in (because these cookies will not
be used when you access the website using a non-secure connection).

If you have HTTPS on your website -- ALWAYS make sure that you set your
password using it. Alternatively redirect all non-secure requests to
HTTPS - that's even better.

If you set your password using HTTP, the same cookie will be used for
both HTTP and HTTPS requests - this is done for compatibility with
HTTP-only wikis.

$ENV{'HTTPS'} returns 'on' or empty string. 'on' is truthy so it
should not create any problems, we can safely use it.

I've tested this, it works as expected.

wiki.pl

@@ -2293,7 +2293,7 @@ sub Cookie {
   my ($changed, $visible, %params) = CookieData(); # params are URL encoded
   if ($changed) {
     my $cookie = join(UrlEncode($FS), %params); # no CTL in field values
-    my $result = $q->cookie(-name=>$CookieName, -value=>$cookie, -expires=>'+2y');
+    my $result = $q->cookie(-name=>$CookieName, -value=>$cookie, -expires=>'+2y', secure=>$ENV{'HTTPS'}, httponly=>$ENV{'HTTPS'});
     if ($visible) {
       $Message .= $q->p(T('Cookie: ') . $CookieName . ', '
 			. join(', ', map {$_ . '=' . $params{$_}} keys(%params)));