Update PHP setcookie() calls to use secure and HTTP

Right now calls to `setcookie()` actually uses PHP default (i.e. `false`) for HTTPonly and secure flags. The secure flag should always be `true`, and the httponly flag should be `true` if we know that it is not accessed by JS.