Make a copy of the cookie options before mutating it to pass to cookie.serialize. This prevents unexpected things from happening when we try to use the same options object multiple times. Also add a test to verify that the options object does not change after a request is made.
By having the method verbs available on the router, users can set up disjoint routers and organized paths easier. It is now possible to have a .js file export the router.middleware and attach these paths using an `app.use('/path', middleware)` call. This means that any routes written in the separate file do not need to have a full path hardcoded as they can be mounted by the application anywhere. This is already possible using `router.route(verb, args)` however is needlessly verbose without this patch.
Per RFC 2616 §10.3.6 & §10.2.5 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html) "The [204/304] response MUST NOT contain a message-body, and thus is always terminated by the first empty line after the header fields."
Escape the URL printed by res.redirect using URL encoding. This prevents some browsers (primarily old versions of IE) from attempting to sniff the Content-Type and evaluate it as HTML, which causes a cross-site scripting vulnerability.