How to fix insecure HTTP cookies
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie’s value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
OWASP – How to set the SecureFlag on cookies
PHP – Setting a secure session cookie
OWASP – HttpOnly
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie’s value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
References
OWASP – How to set the SecureFlag on cookies
PHP – Setting a secure session cookie
OWASP – HttpOnly
Updated on: 18/07/2022
Thank you!