Allow JWT token to be stored on HttpOnly/Secure cookie

localStorage only allows access to the same domain / subdomain. This is often too restrictive. I should make it configurable so that JWT token will be also set on cookie with configured domain. 

When I do, I should add xsrfToken inside the JWT (https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage) 