Session cookies http & secure flag - how do you set these?

Question

Just received the results of a security audit - everything clear apart from two things

Session cookie without http flag.

Session cookie without secure flag s

Answer 1

Since you asked for .htaccess, and this setting is PHP_INI_ALL, just put this in your .htaccess:

php_value session.cookie_httponly 1
php_value session.cookie_secure 1

Note that session cookies will only be sent with https requests after that. This might come as a surprise if you lose a session in non-secured http page (but like pointed out in the comments, is really the point of the configuration in the first place...).