Add support for cookie.secure === 'auto'

[STRML]

This mirrors support in express-session where we look at the value of req.headers['x-forwarded-proto'] to automatically determine if we should set Secure.

This provides the developer with a safe way of getting Secure set, without relying on complicated logic to detect development environments or set up branching middleware chains.