Set httpOnly and secure on PHPSESSID cookie in PHP

Question

Whats the recommended way to set httponly and secure flags on the PHPSESSID cookie?

I found http://www.php.net/manual/en/session.configuration.php#ini.session.cookie

Answer 1

For a WordPress website, I fixed it using the following PHP code:

add_action('init', 'start_session', 1);
function start_session() {
    if(!session_id()) {
        session_start();
        $currentCookieParams = session_get_cookie_params();
        $sidvalue = session_id();
        setcookie(
            'PHPSESSID',//name
            $sidvalue,//value
            0,//expires at end of session
            $currentCookieParams['path'],//path
            $currentCookieParams['domain'],//domain
            true //secure
        );
    }
}

add_action('wp_logout','end_session');
add_action('wp_login','end_session');
function end_session() {
    session_destroy();
}

Paste the code in the functions.php file.