Well I am not using setting cookies through meta. I am trying to add this to limit the possibility of attacks. But I will look into if http only is enough