...
The SP uses a setting called cookieProps that controls the properties used in the creation of all of the cookies it sets. In particular, whether the cookie is limited to https requests, the domain and path, and other properties such as the HttpOnly flag can be set by the deployer and so will vary between sites. However, by default in the latest version, the cookies are scoped to the fully-qualified host, with a path of "/" (the whole host), and the HttpOnly flag set. They are not marked "secure" by default due to the prevalence of testing done without https, but this is a recommended change.