Server config causing CSRF triggers

I was able to change cookie_httponly to TRUE and the app did not give me login errors, but I was not able to re-add the HttpOnly directive in my httpd.conf and it made no difference in the 403 error I am getting. cookie_secure cannot be set to true because the app needs to be accessible from both https and http connections and the flag effectively disables http connections.