iSEC: #5 Sensitive Cookies not Marked Secure

We have a config setting that would fix (force_ssl) this but it's disabled by default even in production - not sure why.

(from redmine: created on 2013-09-03, closed on 2013-09-03)