BUG 9528 Cookies in ProcessMaker are not HttpOnly

- The PHPSESSID cookie are not HttpOnly
- Add the attribute HttpOnly for the PHPSESSID cookie

workflow/engine/methods/login/authentication.php

@@ -150,6 +150,12 @@ try {
         $_SESSION['USR_USERNAME'] = $usr;
     }
 
+    if (PHP_VERSION < 5.2) {
+      setcookie(session_name(), session_id(), null, '/', '; HttpOnly');
+    } else {
+      setcookie(session_name(), session_id(), null, '/', null, null, true);
+    }
+
     $aUser = $RBAC->userObj->load($_SESSION['USER_LOGGED']);
     $RBAC->loadUserRolePermission($RBAC->sSystem, $_SESSION['USER_LOGGED']);
     //$rol = $RBAC->rolesObj->load($RBAC->aUserInfo['PROCESSMAKER']['ROLE']['ROL_UID']);