move secure session cookie secret to config

server/config/config.example.js

@@ -19,6 +19,8 @@ module.exports =
 			redirect_uri	: 'https://client.example.com/auth/callback'
 		}
 	},
+	// session cookie secret
+	cookieSecret	: 'T0P-S3cR3t_cook!e',
 	// Listening hostname for `gulp live|open`.
 	domain : 'localhost',
 	tls    :

server/server.js

@@ -140,10 +140,10 @@ function setupAuth(oidcIssuer)
 	passport.use('oidc', oidcStrategy);
 
 	app.use(session({
-		secret: 'keyboard cat',
+		secret: config.cookieSecret,
 		resave: true,
 		saveUninitialized: true,
-		//cookie            : { secure: true }
+		cookie: { secure: true }
 	}));
 
 	app.use(passport.initialize());