We are often asked for help troubleshooting attributes of Drupal's sessions cookies. The good news is that Drupal generally does a good job on this front, and it's seldom necessary to alter the default settings.
What are the HttpOnly and Secure attributes on (session) cookies?
A secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.
To help mitigate cross-site scripting (XSS) attacks, HttpOnly cookies are inaccessible to JavaScript... they are only sent to the server.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies
Drupal always sets the HttpOnly attribute on its session cookies
D7: https://git.drupalcode.org/project/drupal/blob/7.x/includes/bootstrap.inc#L693
D8: https://git.drupalcode.org/project/drupal/blob/8.8.x/core/lib/Drupal/Core/DrupalKernel.php#L999
There should be no need to alter this configuration, e.g. in settings.php
Drupal will set the Secure attribute on session cookies when the site is being accessed via https
D7: https://git.drupalcode.org/project/drupal/blob/7.x/includes/bootstrap.inc#L821
Therefore, if the site is being accessed via https session cookies will typically have both the HttpOnly and Secure attribute set.
Common pitfalls
When testing session cookie attributes, accessing the site over plain http will result in the secure attribute not being set on the session cookie. In addition, browsers will not send a Secure cookie with a (non-secure) plain http request.
Examining the PHP cookie settings in php.ini or phpinfo() will not reflect the settings Drupal uses as it manages these settings for itself as per the code examples above.
Recommended testing approach
It's best to use a browser's developer tools to examine the attributes of Drupal's session cookie once you have logged in to the site (over https if you're hoping to see the Secure attribute set)
