Solution:
As far as I know, it is not possible to pre-set HTTPOnly for any cookie – it is possible to set it for session cookies though.
Take a look at PHP: SetCookie documentation
For Secure bit, your site needs to run also over SSL. For HTTPOnly – in case any scripts depend on values from these cookies, HTTPOnly cookies cannot be read by JS.
You could write your own setSecureCookie() function which internally calls setcookie() … but thats a complete code rewrite.