This seems to be one of the confusing parts of ACP->Cookie settings and requires a KB article phpBB • Knowledge Base > Fixing incorrect cookie settings. 

According to PHP: setcookie - Manual

secure

Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. When set to true, the cookie will only be set if a secure connection exists. On the server-side, it's on the programmer to send this kind of cookie only on secure connection (e.g. with respect to $_SERVER["HTTPS"]).

If the PHP documentation says it's on the programmer why does phpBB not automatically choose and therefore remove the configurable option in ACP?