Update authentication.adoc

Author: ujibang

docs/security/authentication.adoc

@@ -70,7 +70,7 @@ The cookie authentication mechanism can function using three different options:
 This option is recommended if you also want to allow clients to authenticate via JWTs sent in the `Authorization` header (not stored in a cookie).
 
 ```
-/tokenBasicAuthMechanism/enabled->true|false
+/tokenBasicAuthMechanism/enabled->true
 /jwtAuthenticationMechanism/enabled->true
 /jwtTokenManager/enabled->true
 /rndTokenManager/enabled->false
@@ -112,6 +112,7 @@ Activates when a URL includes the query parameter `?set-auth-cookie` and a user
 ```yaml
 authCookieSetter:
   enabled: false          # Not enabled by default
+  secure: true            # true if only allow setting the cookie on https 
   name: rh_auth           # The name of the cookie to be set
   domain: localhost       # The domain within which the cookie is valid
   path: /                 # The cookie path, applicable to the entire domain
@@ -377,4 +378,4 @@ WWW-Authenticate: Digest realm="RESTHeart Realm",domain="localhost",nonce="Toez7
 
 In browsers this leads to the login popup windows. In our web applications we might want to redirect to a fancy login page when the 401 Unauthorized response code.
 
-To avoid the popup window just add to the request the `noauthchallenge` query parameter or the header `No-Auth-Challenge`. This will skip the challenge response.
+To avoid the popup window just add to the request the `noauthchallenge` query parameter or the header `No-Auth-Challenge`. This will skip the challenge response.