On en.wikipedia.org:
* `enwikimwuser-sessionId`
** lacks the `Secure` flag
* `enwikiwmE-sessionTickLastTickTime`
** lacks the `Secure` flag
* `enwikiwmE-sessionTickTickCount`
** lacks the `Secure` flag
* `GeoIP`
** Should be documented on https://foundation.wikimedia.org/wiki/Cookie_statement - I know that page says "here are some examples" but in that case it seems specifically worthwhile to document that cookie.
* It's not that many cookies that are set for users without an account. Therefore I think these should all be documented.
I am operating under the assumption that there's no reason not to set the `Secure` flag on any cookies nowadays that there is https everywhere. And if it's a set goal that cookies should be hardened (harder to steal, leak) and worthwhile to set the `Secure` on the login cookie, then why not consistently set the cookie flags for all cookies.
(There are reasons to omit the `HttpOnly` flag - for those cookies set by JavaScript. All cookies that I've seen that are set for noscript users have the `HttpOnly` flag already.)
I would guess there are at least two code paths. The code path for setting the login cookie which contains the `Secure` flag and a different code path for other cookies. Perhaps that should be unified?
Also it seems like extensions can set their own cookies but they're not using a MediaWiki's core API for that. Maybe MediaWiki's extensions should be encouraged to use (a maybe yet to be invented) API to set cookies and MediaWiki's core should add a warning encouraging extensions to use that API?
Similar to T110353.