[eluser]Douglas Clifton[/eluser]
This is for CI v1.7.0, although Session.php states "@since Version 1.0." Anyway, I altered the source to include both secure and httponly flags when setting the session cookie. The latter only works for PHP 5.2+, although you could certainly roll your own setcookie() function to do the same. After applying the patch below, you can set these flags in your config/config.php file.
$config['cookie_httponly'] = false|true; // see above, default false
$config['cookie_secure'] = false|true; // https required for the latter, default false
Unified diff patch attached.
