feat: improve session security with HttpOnly and MaxAge options

[hrntknr]

Summary

Add security improvements to session cookies by configuring HttpOnly flag and MaxAge timeout to enhance protection against XSS attacks and improve session management.

Type of Change

• feat: A new feature

Related Issues

[Copilot]

Pull Request Overview

This PR enhances session security by configuring cookie options to protect against XSS attacks and improve session lifecycle management.

• Adds HttpOnly flag to session cookies to prevent client-side JavaScript access
• Sets MaxAge to 3600 seconds (1 hour) for automatic session expiration

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The MaxAge value of 3600 seconds (1 hour) is hardcoded. Consider making this configurable through environment variables or configuration files to allow different timeout values across environments.

Suggested change

	MaxAge: 3600,
	// Make session MaxAge configurable via environment variable
	maxAge := 3600
	if v := os.Getenv("SESSION_MAX_AGE"); v != "" {
	if parsed, err := strconv.Atoi(v); err == nil && parsed > 0 {
	maxAge = parsed
	}
	}
	store.Options(sessions.Options{
	MaxAge: maxAge,

[Copilot]

The session options are missing the Secure flag which should be set to true in production to ensure cookies are only transmitted over HTTPS connections.

Suggested change

	HttpOnly: true,
	store := cookie.NewStore(secret)
	secureCookie := parsedExternalURL.Scheme == "https"
	store.Options(sessions.Options{
	MaxAge: 3600,
	HttpOnly: true,
	Secure: secureCookie,

[codecov]

Codecov Report

❌ Patch coverage is 0% with 4 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
pkg/mcp-proxy/main.go	0.00%	4 Missing ⚠️

📢 Thoughts on this report? Let us know!