The secure flag guarantees a secure transmission of the cookie. Only if a secure HTTPS connection to the host is available, the cookie is sent along the request. The default value of this flag is false, so it has to be activated by using the following generation command (PHP):
setcookie($name, $value, $expire, $path, $domain, 1, $httponly);
setcookie($name, $value, $expire, $path, $domain, $secure, 1);
The SameSite flag prevents the browser from sending a cookie along with cross-site requests. It can be set to strict or lax, where strict means that the cookie will not be available after leaving a site (used on bank websites). Lax will just not send the cookie along with CSRF-prone request methods (eg. POST) so this is often a reasonable balance between security and usability. To integrate this flag using PHP, the attribute has to be added as a string after another attribute.
setcookie($name, $value, $expire, $path, $domain, $secure, $httponly."; samesite=lax");
By setting the domain attribute, it can be specified where on a host the cookie should be accessed. If it is set to loosely, it is possible that other potentially vulnerable servers under the same host could receive the cookie.
setcookie($name, $value, $expire, $path, "app.example.com", $secure, $httponly);
Use the path attribute of a cookie to specify as tight as possible, where on a website the cookie is allowed to access. In case this value is set to loosely, it can be vulnerable to less secure applications on the same server.
setcookie($name, $value, $expire, "/myapp/", $domain, $secure, $httponly);
Sensitive informations should never be stored in a cookie with the expiring date set to a time in the future. In case the web application has a vulnerability and the attacker has access to a users cookies, he could use the same stolen cookie session id until the time in the future is reached. By setting it to NULL, the cookie will be deleted after the user closes the browser.
setcookie($name, $value, NULL, $path, $domain, $secure, $httponly);