We need: - A config option to switch on/off, default to be "on". - Set the HttpOnly cookie attribute when calling `SetCookie`.
