Just received the results of a security audit - everything clear apart from two things
Session cookie without http flag.
Session cookie without secure flag set.
The application is coded in php and the suggestions to fix are:
I have looked at examples but don't fully understand how to implement on a Linux server. I don't have access to the .ini file . Is it possible to set these in the htaccess file?
Alternatively, how and where do I implement in the code?
Since you asked for .htaccess, and this setting is PHP_INI_ALL, just put this in your .htaccess:
php_value session.cookie_httponly 1
php_value session.cookie_secure 1
Note that session cookies will only be sent with https requests after that. This might come as a surprise if you lose a session in non-secured http page (but like pointed out in the comments, is really the point of the configuration in the first place...).