The PHPSESSID is only used inside a session and is deleted and therefore allowed as per GDPR.
A cookie is set by our Content Delivery Network (CDN) and is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. For example, if a certain laptop is used in a local area network where there are laptops infected with viruses, but the specific person's laptop is trusted (e.g. because they've completed a challenge (within your Challenge Passage period), the cookie allows the CDN to identify that client and not challenge them again. It does not correspond to any user ID and does store any personally identifiable information.
Because CDN uses this cookie to identify both HTTP and HTTPS requests from known clients, we do not set the "secure" flag on it. This is not a risk, however: as mentioned above the cookie does not contain sensitive data.
It is not possible to block the CDN cookie at the moment. A Content Delivery Network ensures good performance of websites across the globe. As per the GDPR which states in that some cookies are exempt from this requirement. Consent is not required if the cookie is: used for the sole purpose of carrying out the transmission of a communication, and strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.