Set httpOnly to prevent JavaScript access (XSS), secure to HTTPS-only, and sameSite: 'strict' for CSRF protection. Regenerate the session ID on login to prevent session fixation. Also regenerate after privilege escalation to prevent session hijacking via pre-authentication sessions.
httpOnly — JavaScript cannot access the cookie via document.cookie; blocks XSS-based session theft.
secure — cookie is only sent over HTTPS; prevents transmission over plain HTTP connections.
sameSite: 'strict' — cookie is not sent on cross-site requests; the primary CSRF defense for modern browsers.
Session fixation — attacker sets a known session ID before login; regenerate() issues a fresh ID at login.
For cross-origin APIs (different domain frontend), use sameSite: 'none' + secure + add CSRF token header validation.