I have done some digging on this and here is what I have found. By default the cookies toolkit does not set the secure bit for cookies. However, if you use PHP you can do a quick update to set it this way. Here is an example of the set cookie code for PHP:
setcookie("secure_cookie", "1111", time()+(60*60*24*30), "/", "", 0);
It is this final 0 that makes the cookie secure, you can just update it so this last 0 is set to one like this:
setcookie("secure_cookie", "1111", time()+(60*60*24*30), "/", "", 1);
I did some testing with this and the cookie will not show on an http connection if it has the secure flag set like this.