diff --git a/system/blueprints/config/system.yaml b/system/blueprints/config/system.yaml
index 80eb4c039..8acee8597 100644
--- a/system/blueprints/config/system.yaml
+++ b/system/blueprints/config/system.yaml
@@ -806,6 +806,29 @@ form:
                     label: PLUGIN_ADMIN.NAME
                     help: PLUGIN_ADMIN.SESSION_NAME_HELP
 
+                session.secure:
+                    type: toggle
+                    label: PLUGIN_ADMIN.SESSION_SECURE
+                    help: PLUGIN_ADMIN.SESSION_SECURE_HELP
+                    highlight: 1
+                    options:
+                        1: PLUGIN_ADMIN.YES
+                        0: PLUGIN_ADMIN.NO
+                    default: false
+                    validate:
+                        type: bool
+
+                session.httponly:
+                    type: toggle
+                    label: PLUGIN_ADMIN.SESSION_HTTPONLY
+                    help: PLUGIN_ADMIN.SESSION_HTTPONLY_HELP
+                    highlight: 1
+                    options:
+                        1: PLUGIN_ADMIN.YES
+                        0: PLUGIN_ADMIN.NO
+                    default: true
+                    validate:
+                        type: bool
 
         advanced:
             type: section
diff --git a/system/config/system.yaml b/system/config/system.yaml
index 0fc94b384..3dfaa1c3b 100644
--- a/system/config/system.yaml
+++ b/system/config/system.yaml
@@ -111,5 +111,5 @@ session:
   enabled: true                             # Enable Session support
   timeout: 1800                             # Timeout in seconds
   name: grav-site                           # Name prefix of the session cookie. Use alphanumeric, dashes or underscores only. Do not use dots in the session name
-
-
+  secure: false                             # Set session secure. If true, indicates that communication for this cookie must be over an encrypted transmission. Enable this only on sites that run exclusively on HTTPS
+  httponly: true                            # Set session HTTP only. If true, indicates that cookies should be used only over HTTP, and JavaScript modification is not allowed.
\ No newline at end of file
diff --git a/system/src/Grav/Common/Session.php b/system/src/Grav/Common/Session.php
index 5be15ec35..bb34d3b2c 100644
--- a/system/src/Grav/Common/Session.php
+++ b/system/src/Grav/Common/Session.php
@@ -36,18 +36,23 @@ class Session extends \RocketTheme\Toolbox\Session\Session
         }
 
         if ($config->get('system.session.enabled') || $is_admin) {
-
-
             // Define session service.
             parent::__construct(
                 $session_timeout,
                 $session_path
             );
 
+            $domain = $uri->host();
+            if ($domain == 'localhost') {
+                $domain = '';
+            }
+            $secure = $config->get('system.session.secure', false);
+            $httponly = $config->get('system.session.httponly', true);
+
             $unique_identifier = GRAV_ROOT;
             $this->setName($config->get('system.session.name', 'grav_site') . '-' . substr(md5($unique_identifier), 0, 7) . ($is_admin ? '-admin' : ''));
             $this->start();
-            setcookie(session_name(), session_id(), time() + $session_timeout, $session_path);
+            setcookie(session_name(), session_id(), time() + $session_timeout, $session_path, $domain, $secure, $httponly);
         }
     }
 }