How to fix cookie does not contain the 'secure' and 'HTTPOnly' attribute in Laravel

In a Laravel application running on an Apache server, if you're facing issues where cookies do not contain the "secure" or "HTTPOnly" flags, it typically means that your application's session configuration and server settings need some adjustments. Here's how you can address these issues:

1. Adding the "secure" Flag to Cookies:

   To ensure that cookies are marked as "secure," you need to configure your Laravel application to generate secure cookies. Secure cookies are only sent over HTTPS connections.

   Open your config/session.php file and make sure that the secure option is set to true. It should look like this:

   
   'secure' => env('SESSION_SECURE_COOKIE', true),
   
   

   Additionally, ensure that your Laravel application is served over HTTPS. If it's not, you'll need to set up SSL/TLS for your Apache server to enable HTTPS.

2. Adding the "HTTPOnly" Flag to Cookies:

   To make cookies "HTTPOnly," you can configure your Laravel application's session settings. The "HTTPOnly" flag ensures that cookies are not accessible via JavaScript, enhancing security.

   In your config/session.php file, ensure that the http_only option is set to true:

   
   'http_only' => true,
   
   

   This setting will make sure that session cookies are marked as "HTTPOnly."

3. Verify Server Configuration:

   Check your Apache server configuration to ensure it's not modifying the cookie attributes in a way that contradicts your Laravel configuration. For example, if you have custom Apache configurations or .htaccess files, they might be altering cookie settings.

4. Clear Browser Cookies:

   After making the changes, you may need to clear your browser's cookies to ensure that the new settings take effect.

5. Testing:

   Test your application over HTTPS to confirm that cookies now have the "secure" and "HTTPOnly" flags set. You can use browser developer tools to inspect the cookies and their attributes.

Remember to keep your Laravel and server software up to date to benefit from security enhancements and bug fixes. Additionally, consider implementing other security measures, such as Content Security Policy (CSP) headers, to further enhance your application's security.