use httpOnly in express session to prevent the client side from accessing the cookie via javascript
use httpOnly in express session to prevent the client side from accessing the cookie via javascript