In my php.ini
confirmed I have:
session.cookie_secure = 1
Also, doing:
<?php print_r(session_get_cookie_params()); ?>
Results in:
Array ( [lifetime] => 0 [path] => / [domain] => [secure] => 1 [httponly] => 1 )
However, inspecting a page in my application with Chrome Developer tools, going to cookies, it lists that sessions cookie is not secure, and not http only.