Syntax to set session cookies
session_set_cookie_params($lifetime, $path, $domain, $secure, true);
Q1. Is setting session cookie like below secure or is there more to be done?
session_set_cookie_params('3600', 'www.example.com', isset($_SERVER["HTTPS"]), true);
Q2. What should be the ideal lifetime for setting a session (from security view point) cookie?
Q3. If ever I decide to shift my web admin folder to sub domain then will the above code require change?.
A1: Your above code looks ideal, as long as it follows the PHP documentation page, who are we to say otherwise;
A2: This all just depends on exactly what this is being used for. In banking, some like to kill the session within minutes of inactivity. In gaming or social networking, these settings tend to be more relaxed and lenient as to give the user more leeway;
A3: Yes, you would have to change the cookie to reflect the new subdomain admin change. If you wanted to set a global cookie (that works on all subdomains):
session_set_cookie_params('3600', 'example.com', (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')? true : false, true);
Hope this helps!