It means the browser will only send the cookie when the current connection is encrypted (SSL/TLS). You only use it with an encrypted connection.
- http://php.net/manual/en/session.configuration.php#ini.session.cookie-secure
- http://us3.php.net/manual/en/function.setcookie.php#refsect1-function.setcookie-parameters
You can optionally set the HttpOnly flags as well to prevent client-side scripts from accessing cookie as well to help secure it further. So in your case set the 'secure' flag to FALSE and the the HttpOnly flag to TRUE. That is as secure as your cookie setting will get other than setting a path which you are most likely wanting as / anyways.
