Adding secure and httponly to cookies with same cookiename

I will start off by saying that servers are not supposed to set the same cookie more than once. From RFC6265 section 4.1:

Servers SHOULD NOT include more than one Set-Cookie header field in
the same response with the same cookie-name.  (See Section 5.2 for
how user agents handle this case.)

I'm guessing that isn't specifically helpful to you, but I think it is useful to note.

Having said that, the HTTP::cookie primitives don't contain a method to retrieve duplicates. As such, you'll need to use HTTP::header and look for Set-Cookie and Set-Cookie2 headers. Since you want to insert the secure and HttpOnly attributes, you'll have to iterate over all over the Set-Cookie and Set-Cookie2 header values, remove all Set-Cookie and Set-Cookie2 headers, then re-insert those headers using the values you collected (with some values potentially modified). Something like this (though untested! and I only account for Set-Cookie headers):

when HTTP_RESPONSE {
    if { $makeCookieSecure } {
        set cookies [HTTP::header values Set-Cookie]
        
        for { set i 0 } { $i < [llength $cookies] } { incr i } {
            set c [lindex $cookies $i]
            if { !([string tolower $c] contains "; secure") } {
                lset cookies $i "$c; secure"
            }
            
            if { !([string tolower $c] contains "; httponly" } {
                lset cookies $i "$c; HttpOnly"
            }
        }
    }
    
    HTTP::header remove "Set-Cookie"
    
    foreach c $cookies {
        HTTP::header insert "Set-Cookie" "$c"
    }
}

Keep in mind that this will place all cookies at the end of the Header stream. If that is undesirable, the code gets more complicated.