session id missing secure flag - Hosted Website

Hey folks, Looks like the `sessionid` cookie handles session id but misses `Secure` flag. Cookies without this flag will transmitted over unencrypted channel and let's the man in the middle attackers to grab the value. ### Attack Vector - Attacker passes a http:// hosted website link - Victim clicks the link - Browser passes the session cookie over http - MITIM attacker gets the value and take over the account With the #224287, this made more simpler. ### Suggested Fix Set the Secure flag true for the session id and any other sensitive cookies. Example h1 reports: https://hackerone.com/reports/58679 https://hackerone.com/reports/6877