The "WMF-Last-Access" cookie is not secure now. Although HSTS is enabled, Secure flag is still needed, since old browsers don't support HSTS, and it is possible for users to clear the HSTS records without clearing cookies.
About WMF-Last-Access: https://wikitech.wikimedia.org/wiki/Analytics/Unique_clients/Last_access_solution