http-only and secure are directives intended for browser. If the browser doesn't detect HTTP proto for http-only setting and SSL for secure setting then browser will drop the cookie and will never make it to the web server. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,236394,237245#msg-237245