Missing secure and httponly attribute on PHP session cookie
The flaw is due to SSL cookie is not using 'secure' attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks. remote systems.
many thanks to Alexander Norman <xh [at] xh [dot] se> for reporting this issue.