How does cookie "Secure" flag work?
The client sets this only for encrypted connections and this is defined in RFC 6265:
The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) [RFC2818]).
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity (see Section 8.6 for more details).
Just another word on the subject:
Omitting secure
because your website example.com
is fully https is not enough.
If your user is explicitly reaching http://example.com
, they will be redirected to https://example.com
but that's too late already; the first request contained the cookie.