Added http_only option to session configuration.

application/config/session.php

@@ -16,7 +16,7 @@
 	|
 	*/
 
-	'driver' => '',
+	'driver' => 'file',
 
 	/*
 	|--------------------------------------------------------------------------
@@ -86,4 +86,19 @@
 
 	'https' => false,
 
+	/*
+	|--------------------------------------------------------------------------
+	| HTTP Only Session Cookie
+	|--------------------------------------------------------------------------
+	|
+	| Should the session cookie only be accessible over HTTP?
+	|
+	| Note: The intention of the "HTTP Only" option is to keep cookies from
+	|       being accessed by client-side scripting languages. However, this
+	|       setting should not be viewed as providing total XSS protection.
+	|
+	*/
+
+	'http_only' => false,
+
 );