cookie options ignored - hence settings are not secure enough

it is very important that we deliver secure systems e.g. `{ httpOnly: true, secure: true }` should be used by default as advised by experts. we try to set these options but cookie generated is not secure as expected.

