diff --git a/php-checks/src/main/java/org/sonar/php/checks/HttpOnlyCheck.java b/php-checks/src/main/java/org/sonar/php/checks/HttpOnlyCheck.java
index 777617d0b..33bc96c7c 100644
--- a/php-checks/src/main/java/org/sonar/php/checks/HttpOnlyCheck.java
+++ b/php-checks/src/main/java/org/sonar/php/checks/HttpOnlyCheck.java
@@ -70,7 +70,7 @@ public void visitFunctionCall(FunctionCallTree tree) {
         createIssueIfHttpOnlyIsFalse(argument.get().value(), tree);
       } else if (tree.callArguments().size() != 3) {
         // if only 3 argument are defined there is an ambiguity so we don't raise issue
-        context().newIssue(this, tree.callee(), MESSAGE);
+        createIssueIfCookieValueIsNotHardcoded(tree);
       }
     }
     if (isSymfonyCookieCreation(tree)) {
@@ -109,4 +109,16 @@ private void createIssueIfHttpOnlyIsFalse(ExpressionTree argument, FunctionCallT
       context().newIssue(this, tree.callee(), MESSAGE).secondary(argument, null);
     }
   }
+
+  private void createIssueIfCookieValueIsNotHardcoded(FunctionCallTree tree) {
+    Optional<CallArgumentTree> cookieValue = CheckUtils.argument(tree, "value", 1);
+    if (cookieValue.isPresent() && isHardcodedOrNullCookieValue(cookieValue.get())) {
+      return;
+    }
+    context().newIssue(this, tree.callee(), MESSAGE);
+  }
+
+  private static boolean isHardcodedOrNullCookieValue(CallArgumentTree cookieValue) {
+    return cookieValue.value().is(Kind.NULL_LITERAL) || cookieValue.value().is(Kind.REGULAR_STRING_LITERAL);
+  }
 }
diff --git a/php-checks/src/test/resources/checks/HttpOnlyCheck.php b/php-checks/src/test/resources/checks/HttpOnlyCheck.php
index 47686ee35..63519ec42 100644
--- a/php-checks/src/test/resources/checks/HttpOnlyCheck.php
+++ b/php-checks/src/test/resources/checks/HttpOnlyCheck.php
@@ -1,5 +1,6 @@
 <?php
 
+
   setcookie($name, $value, $expire, $path, $domain, true, false); // Noncompliant {{Make sure creating this cookie without the "httpOnly" flag is safe here.}}
 //^^^^^^^^^                                               ^^^^^ <
   setrawcookie($name, $value, $expire, $path, $domain, true, false); // Noncompliant {{Make sure creating this cookie without the "httpOnly" flag is safe here.}}
@@ -12,6 +13,15 @@
 setcookie($name, $value, $expire, $path, $domain, true, $httpOnly);
 setcookie($name, $value, $expire, $path);  // Noncompliant
 setcookie($name, $value); // Noncompliant
+setcookie("tokenIdentity"); // Coverage
+
+setcookie("tokenIdentity", path:"/", value:'foo', expires_or_options:time() - 42000); // Compliant; cookie value is hardcoded
+setcookie(session_name(), '', time() - 3600, '/'); // Compliant; cookie value is hardcoded
+setcookie(session_name(), "", time() - 3600, '/'); // Compliant; cookie value is hardcoded
+\setcookie(\session_name(), null, -1, \OC::$WEBROOT ? : '/'); // Compliant; cookie value is  null
+setcookie("tokenIdentity", 'foo', time() - 42000, "/"); // Compliant; cookie value is hardcoded
+setcookie("tokenIdentity", "foo", time() - 42000, "/"); // Compliant; cookie value is hardcoded
+
 
 setrawcookie($name, $value, $expire, $path, $domain, true, foo(false));
 setrawcookie($name, $value, $expire, $path, $domain, true, true);