What is the secure flag?
a cookie whose value is critical for the integrity of the session should have this flag enabled in order to allow its transmission only in an encrypted channel to deter eavesdropping. - OWASP
Don't get hung up on the "critical for the integrity part". If you went to the effort to create a cookie for the user, its probably important. Go ahead and set the secure flag.
Haven't heard of SurfJacking? Look here
New Tool to Automate Cookie Stealing from Gmail, Others. Washing Post
SurfJacking.pdf from net-security.org
Since we are setting flags, go ahead and also set the httpOnly flag. This is unrelated to the above issue, but its a good move and will help prevent against XSS cookie theft.