Session cookies http & secure flag - how do you set these?

Question

Just received the results of a security audit - everything clear apart from two things

Session cookie without http flag.

Session cookie without secure flag s

Answer 1

I know this specifically said they do not have access to the .ini file but for those who get here via search results the .ini settings look like:

session.cookie_httponly = 1
session.cookie_secure = 1

The cookie_secure is already present by default in most ini files but commented out. So uncomment that line and set the 1. The httponly line is also already present but not commented out but defaults to 0. So you must hunt it down and set it.