O'Reilly logo
  • john eischen thinks this is interesting:

Both of these flags can be set either by defining the appropriate constant in the server’s php.ini file or at runtime through session_set_cookie_params before session_start() is invoked by the application.

From

Cover of Security Principles for PHP Applications

Note

this should be done everywhere now that https is general