I think you should always consider the following Cookie attributes for security sensitive data such as session ids
HttpOnly => Cookie exchange only via HTTP protocol - protects you against XSS attacks
SameSite=strict => Cookies only acessible for servers that match the domain in the cookie attribute - Protects you against CSRF attacks
secure => Cookies can only be transferred with an active SSL-/TLS encryption (HTTPS) - Protects you against man in the middle attacks
Furthermore if you use a reverse proxy:
Ensure that the X-Forwarded-For headers are set and that the Proxy Caching Policy of the Revers Proxy does not interfere with your Set-Cookie header (proxy-pass-header: Server;).
(It is possible that your proxy cache swallows Set-Cookie headers and that's a nightmare to debug)
But just setting the correct cookie attributes does not make your site magically secure or protects you against all XSS or CSRF vectors.
You should always educate yourself about common attack vectors when you work with sensitive data.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I think you should always consider the following Cookie attributes for security sensitive data such as session ids
Furthermore if you use a reverse proxy:
Ensure that the X-Forwarded-For headers are set and that the Proxy Caching Policy of the Revers Proxy does not interfere with your Set-Cookie header (proxy-pass-header: Server;).
(It is possible that your proxy cache swallows Set-Cookie headers and that's a nightmare to debug)
But just setting the correct cookie attributes does not make your site magically secure or protects you against all XSS or CSRF vectors.
You should always educate yourself about common attack vectors when you work with sensitive data.