my $force_secure_cookie = length $ENV{HTTPS};
...;
...;
$http_header{-cookie} = $session->cookie( -secure => $force_secure_cookie );