Leaky Cookie

The login sets a session cookie without one critical attribute — the one that keeps document.cookie (and therefore any XSS) from reading it. Name that missing attribute inside the flag wrapper.