标记有secure属性的cookie，浏览器会限制仅通过安全的渠道传输（如启用了HTTPS时），保证在“传输中的安全性”，避免被中间人监听或劫持。

The Secure attribute limits the scope of the cookie to "secure"
channels (where "secure" is defined by the user agent). When a
cookie has the Secure attribute, the user agent will include the
cookie in an HTTP request only if the request is transmitted over a
secure channel (typically HTTP over Transport Layer Security (TLS)
[RFC2818]).

标记有HttpOnly属性的cookie，不能被js等客户端脚本修改，浏览器只能“透传”此值，保证cookie在“客户端的安全性”。

The HttpOnly attribute limits the scope of the cookie to HTTP
requests. In particular, the attribute instructs the user agent to
omit the cookie when providing access to cookies via "non-HTTP" APIs
(such as a web browser API that exposes cookies to scripts).

Note that the HttpOnly attribute is independent of the Secure
attribute: a cookie can have both the HttpOnly and the Secure
attribute.

via:http://tools.ietf.org/html/rfc6265#section-4.1.2.5