Mark the player cookie httpOnly

It doesn't improve much security-wise,
but it's a good practise anyway.

airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java

@@ -151,6 +151,7 @@ public class PlayerService {
             String cookieName = COOKIE_NAME + "-" + StringUtil.utf8HexEncode(username);
             Cookie cookie = new Cookie(cookieName, String.valueOf(player.getId()));
             cookie.setMaxAge(COOKIE_EXPIRY);
+            cookie.setHttpOnly(true);
             String path = request.getContextPath();
             if (StringUtils.isEmpty(path)) {
                 path = "/";