Why this matters
Without HttpOnly, malicious scripts (e.g., via XSS) can steal cookies. Without Secure, cookies may be transmitted in plaintext over HTTP, exposing them to interception. Proper cookie flags strengthen user session security.
When sending session or other sensitive cookies, always enable the HttpOnly and Secure flags (and consider SameSite). HttpOnly prevents JavaScript access, and Secure ensures the cookie is only sent over HTTPS.
Without HttpOnly, malicious scripts (e.g., via XSS) can steal cookies. Without Secure, cookies may be transmitted in plaintext over HTTP, exposing them to interception. Proper cookie flags strengthen user session security.
Side-by-side examples engineers can pattern-match during review.
<?php
setcookie('session', \$sessionId); // no HttpOnly/Secure
?><?php
setcookie('session', \$sessionId, ['httponly' => true, 'secure' => true, 'samesite' => 'Strict']);
?><?php
setcookie('session', \$sessionId); // no HttpOnly/Secure
?><?php
setcookie('session', \$sessionId, ['httponly' => true, 'secure' => true, 'samesite' => 'Strict']);
?>From the same buckets as this rule.