Securing the PHPSESSID cookie

One of my PHP web applications uses PHP's session functionality to remember the current user. I noticed, though, that the PHPSESSID cookie that's generated for me isn't marked Secure or HttpOnly even though I'm exclusively serving the site over HTTPS and I never need JavaScript to do anything with the cookie. Therefore, as a defense-in-depth measure, I looked into setting those flags on it. Using php_flag in .htaccess didn't work; it caused a 500 error noting in the server log that the command was unknown. The ini_set approach didn't seem to have an effect on my server. Using set_session_cookie_params did the job, though. I'm including this line before session_start:

session_set_cookie_params($cookieTime, '/', $myDomain, true, true);