Secure flag
The Secure flag tells the browser only to send the cookie over a HTTPS connection. Since your application should only be available over HTTPS, this flag should be set for all cookies.
setcookie('name', 'value', [
'secure' => true
])HttpOnly flag
The HttpOnly flag tells the browser not to allow access to the cookie outside of a HTTP request. In practical terms this means the cookie cannot be accessed with JavaScript, usually via document.cookie:
document.cookie = "name=value"Cookies will still be sent on requests triggered by JavaScript, such as a call to fetch.
Very few web applications genuinely need to access cookies in JavaScript, and blocking this helps to prevent or mitigate cross-site scripting, so the HttpOnly flag should always be set.
setcookie('name', 'value', [
'httponly' => true
])