In rdiffweb prior to version 2.4.6, the cookie session_id does not have a secure attribute when the URL is invalid. Version 2.4.6 contains a fix for the issue.
cookie