Problem :
Security Audit comes to you with a Vulnerability Scan Report and Shows following vulnerability has been identified on your PHP website.
Vulnerability : Cookies Not set over the SSL
Even you make changes to your proxy, force SSL connection to your website at IIS level , the vulnerability remains there. Changes made to web server (IIS or any other) or Proxy level are not reflected to a PHP site because PHP settings are governed by php.ini file.
Resolution :
Just add following 2 lines to your php.ini file under the "sessions" section :
session.cookie_httponly = 1
session.cookie_secure = 1
Restart your website.
You will not find the "Cookies Not set over the SSL" vulnerability again in the Security Audit.
CHEERS!!!