I have Plone 4.3.2 (Zope 2.13.21) installed. As mentioned in the documentation (http://plone.org/documentation/kb/securing-plone) cookies should be secure and httpOnly with Zope 2.12 or higher.

Also note that the suggested patch has been included in Zope 2.12.0 b1, so Plone 4, which will use Zope 2.12 or higher, won't have this problem

But if I log in as admin (or another user that is defined at zope-root) the __ac cookie is not secure and not httpOnly. If I log in as a user created in a site everything is fine. Is there a way to change this?

First off, to set cookie settings in Plone:

• append /manage onto your plone site url
• click "acl_users"
• click "session"
• click "properties" tab

Then, as for root login, it depends on where you login.

Zope root does not implement a cookie plugin, it only logs in with basic auth. IMO, you should never have zope root accessible without first tunneling or using a VPN to get into it.

Finally, you can disable credentials_basic_auth plugin from your plone site.