* try to couple some way HttpAdapter's httpOnly option and AuthProvider's useLimitedToken
* do not send secure cookies over non-secure channel