Hello, 

I figured out the place where the cookie gets set in Galaxy and then add secure to that. Apache configuration didn't work well. 

added the following code into  function "set_cookie" in:
lib/galaxy/web/framework/__init__.py 

def set_cookie( self, value, name='galaxysession', path='/', age=90, version='1' ):
     try:             
         self.response.cookies[name]['secure'] = True         
     except CookieError, e:             
         log.warning( "Error setting secure attribute in cookie '%s': %s" % ( name, e ) )

I tested by running the following, now I can see the flag "secure" in the set-cookie

curl -k -D - https://gx.cbio.mskcc.org/ -o /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0HTTP/1.1 200 OK
Date: Mon, 06 May 2013 14:50:16 GMT
Server: PasteWSGIServer/0.5 Python/2.6.6
content-type: text/html; charset=UTF-8
Set-Cookie: galaxysession=7cf35ade3e68eef6c0bd6866318609b987df86a0d50ecc280f02efaa5966a9aa59ce7177812bed97; expires=Sun, 04-Aug-2013 10:50:16 GMT; httponly; Max-Age=7776000; Path=/; secure; Version=1
Connection: close
Transfer-Encoding: chunked

100 25395    0 25395    0     0  35881      0 --:--:-- --:--:-- --:--:-- 69575

--Vipin

Hi dev-team, 

We have placed our galaxy instance ssl and I need to make sure that the secure flag is set 
on the cookie (commonly represented by the word “secure” under the Security column) but 
I am not able to do the same. something like below: 

Inline image 2

when I checked on my instance I saw as below: 
Inline image 3
I have made necessary changes to my ssl.conf to put the flag as secure, but it seems not appearing here. 

Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly

does anybody have an experience in setting up the same. thanks in advance, 

--/Vipin