In the web installer, use secure session cookies
When starting a session when the detected protocol is HTTPS, use
cookie_secure=1 so that the session cookie has the secure attribute.
Without the secure attribute, a CSRF attack could be used to send
cookies over an insecure channel, leaking the session ID to an attacker
with network access.
(cherry picked from commit 9ba8f8d12475a37848eaadae0effae8d956e3342)