The only thing that the secure flag does is that the cookie will only be accepted when the site is served over https. It does not make your cookie more secure. The only flag that I would always set with session and security cookies is the httpOnly flag, since it makes sure the cookies can’t be manipulated in the client browser.