Got it, thanks. More detail at [1] mentioned by gingerline above: "the secure flag does not prevent a cookie from being overwritten. In fact, a HTTP site can overwrite a cookie with a secure flag, as long as the domain names are related appropriately. The secure flag provides confidentiality protection but not integrity protection."
[1] http://security.stackexchange.com/questions/12412/what-cooki...