For some of the issues you would have to update your php.ini file and add:
php_value session.cookie_httponly 1
php_value session.cookie_secure 1
That should take care of the secure flag and http only flag.
I updated your logout.php page so it clears the old cookie. It wasn't working because it was redirecting and the cookie update happens in the header of the browser. I removed the redirect so the logout page displays and that allows the page to clear the cookie.