Additional config key, to enable insecure cookie for CSRF.

janitor/runtime/src/main/java/org/pagan/janitor/JanitorConfig.java

@@ -76,4 +76,10 @@ public class JanitorConfig {
     @ConfigItem(defaultValue = "false")
     public boolean csrfInCookie;
     
+    /**
+     * CSRF cookie will be used as secure
+     */
+    @ConfigItem(defaultValue = "true")
+    public boolean secureCsrfInCookie;
+
 }

janitor/runtime/src/main/java/org/pagan/janitor/cache/SessionCacheConfig.java

@@ -13,6 +13,7 @@ public class SessionCacheConfig {
     public String cookieName;
     public String csrfName;
     public boolean csrfInCookie;
+    public boolean secureCsrfInCookie;
     public Long sessionLifetime;
     
     public void setConfig(JanitorConfig config) {
@@ -20,6 +21,7 @@ public class SessionCacheConfig {
         this.csrfName = config.csrfName;
         this.csrfInCookie = config.csrfInCookie;
         this.sessionLifetime = config.sessionLifetime;
+        this.secureCsrfInCookie = config.secureCsrfInCookie;
     }
     
 }

janitor/runtime/src/main/java/org/pagan/janitor/cache/SessionCacheImpl.java

@@ -63,11 +63,11 @@ public class SessionCacheImpl implements SessionCache {
         put(sessionId, sessionInfo);
         ResponseBuilder builder = Response.ok().cookie(new NewCookie(config.cookieName,
                 sessionId, "/", null, null, config.sessionLifetime.intValue(),
-                false, true));
+                config.secureCsrfInCookie, true));
         if (config.csrfInCookie) {
             builder.cookie(new NewCookie(config.csrfName,
                 sessionInfo.csrfToken(), "/", null, null, config.sessionLifetime.intValue(),
-                false, true));
+                config.secureCsrfInCookie, true));
         } else {
             builder.header(config.csrfName, sessionInfo.csrfToken());
         }