The "secure" attribute prevents cookies from being sent over plaintext connections such as HTTP, where they would be easily eavesdropped upon. Instead, cookies with the secure attribute are only sent over encrypted HTTPS connections.

Recommended Secure Coding Practices

Noncompliant Code Example

; php.ini
session.cookie_secure = 0; Noncompliant

// in PHP code
session_set_cookie_params($lifetime, $path, $domain, false); // Noncompliant, the last parameter means that the session cookie should not be secure

setcookie($name, $value, $expire, $path, $domain, false); // Noncompliant, the last parameter means that the cookie should not be secure

See