oxAuth #412

Support JSON Property for HTTPOnly

To enable it, set sessionStateHttpOnly: true in oxAuth config.

Note that SessionManagement will not work.
See http://openid.net/specs/openid-connect-session-1_0.html

Note that your browser should not allow a client-side script to access the session_state cookie. Unfortunately, since the attribute is relatively new, several browsers may neglect to handle the new attribute properly.
See https://www.owasp.org/index.php/HttpOnly