I'm doing some research on HTTPS encryption and from what I understand, it looks like cookies can be sent unencrypted over HTTP even if the site is only using HTTPS if they have something called a "secure flag". What does that mean? My site only uses HTTPS, so this seems important.