+ session tokens additionally set the \code{HttpOnly} and \code{secure} attributes.
+ \begin{result}
+ There is just one cookie for the application and it's path includes the whole
+ site. However this seems appropriate. The \code{HttpOnly} and \code{secure}
+ attributes are not set for this cookie.
+ \end{result}