Wrong documentation for CookieOptions.HttpOnly

[TrymBeast]

true if a cookie is accessible by client-side script; otherwise, false.

Isn't the opposite? With a true value only server-side can access the cookie.

[Tratcher]

https://github.com/aspnet/AspNetKatana/blob/fae38fae683bb0977bcaf7c3ffce244aced82135/src/Microsoft.Owin/CookieOptions.cs#L48

Good catch. Feel free to submit a PR, or else we'll handle this in our next milestone.