Just a question for general knowledge, is deleting a cookie with PHP using just a regular call the same as using it with the secure and httponly set to true?
<?php
setcookie('test', $value, -1, '/');
// or
setcookie('test', $value, -1, '/', 'domain.com', true, true);
Edit: Cookie is created with secure and httponly set to true
setcookie('test', $value, time() + 3600, '/', 'domain.com', true, true);
Now you have confirmed that the cookie is created with secure and httponly set to true..
In that case if you just use a regular unset, with nothing after the path, the effect will be the same
The reasons are
without setting the domain, browsers will automatically consider the cookie host-only (i.e. the request's host must exactly match the domain of the cookie), in your case if should be fine if your scripts (set / amend / delete) are triggered in the same host/domain
without setting secure, then the cookie will be set in either HTTP and/or HTTPS, so in your case should be fine because your aim is to delete the cookie
without setting http only, then it should be fine because you have already confirmed that you do not set / use the cookie thru other ways (such as JS)