It specifies whether cookies should only be sent over secure connections.
it means cookie will be sent on HTTPS protocol, not on HTTP.
you can set in PHP by using
session.cookie_secure = On; in php.ini
or by setting session_set_cookie_params () function while setting cookie,
or ini_set() but before session_start() is called in your application.
If you are running your site on both protocol, HTTP, and HTTPS and let’s say, you set login cookie as https only.
if somehow , the user is migrating from HTTPS to HTTP, the user would not be login anymore, as session id will not be available for that user and SESSION array in PHP will be empty because session id will be transmitted over https.