diff --git a/src/internal.c b/src/internal.c
index ed501fb4d..e1b8cd551 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -1999,7 +1999,11 @@ void SSL_ResourceFree(WOLFSSL* ssl)
     }
     XFREE(ssl->buffers.dtlsCtx.peer.sa, ssl->heap, DYNAMIC_TYPE_SOCKADDR);
     ssl->buffers.dtlsCtx.peer.sa = NULL;
+#ifndef NO_WOLFSSL_SERVER
+    XFREE(ssl->buffers.dtlsCookieSecret.buffer, ssl->heap,
+          DYNAMIC_TYPE_COOKIE_PWD);
 #endif
+#endif /* WOLFSSL_DTLS */
 #if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS)
     FreeX509(&ssl->peerCert);
 #endif
@@ -14279,7 +14283,7 @@ int DoSessionTicket(WOLFSSL* ssl,
 #ifdef WOLFSSL_DTLS
         Hmac            cookieHmac;
         byte            peerCookie[MAX_COOKIE_LEN];
-        byte            peerCookieSz;
+        byte            peerCookieSz = 0;
         byte            cookieType;
         byte            cookieSz;
 #endif /* WOLFSSL_DTLS */
diff --git a/src/ssl.c b/src/ssl.c
index 4b11a1e81..5ebad4fad 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -34,6 +34,12 @@
 #include <wolfssl/internal.h>
 #include <wolfssl/error-ssl.h>
 #include <wolfssl/wolfcrypt/coding.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #include <wolfcrypt/src/misc.c>
+#endif
+
 
 #ifndef WOLFSSL_ALLOW_NO_SUITES
     #if defined(NO_DH) && !defined(HAVE_ECC) && !defined(WOLFSSL_STATIC_RSA) \
@@ -5492,13 +5498,13 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
         byte* newSecret;
 
         if (ssl->buffers.dtlsCookieSecret.buffer != NULL) {
-            XMEMSET(ssl->buffers.dtlsCookieSecret.buffer, 0,
-                    ssl->buffers.dtlsCookieSecret.length);
+            ForceZero(ssl->buffers.dtlsCookieSecret.buffer,
+                      ssl->buffers.dtlsCookieSecret.length);
             XFREE(ssl->buffers.dtlsCookieSecret.buffer,
                   ssl->heap, DYNAMIC_TYPE_NONE);
         }
 
-        newSecret = (byte*)XMALLOC(secretSz, ssl->heap, DYNAMIC_TYPE_NONE);
+        newSecret = (byte*)XMALLOC(secretSz, ssl->heap,DYNAMIC_TYPE_COOKIE_PWD);
         if (newSecret == NULL) {
             ssl->buffers.dtlsCookieSecret.buffer = NULL;
             ssl->buffers.dtlsCookieSecret.length = 0;
diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
index 7f503c3ee..dfe15d488 100644
--- a/wolfssl/wolfcrypt/types.h
+++ b/wolfssl/wolfcrypt/types.h
@@ -281,7 +281,8 @@
 	    DYNAMIC_TYPE_OCSP         = 44,
 	    DYNAMIC_TYPE_SIGNATURE    = 45,
 	    DYNAMIC_TYPE_HASHES       = 46,
-		DYNAMIC_TYPE_SRP          = 47,
+        DYNAMIC_TYPE_SRP          = 47,
+        DYNAMIC_TYPE_COOKIE_PWD   = 48
 	};
 
 	/* max error buffer string size */