Voting starts in March for the Drupal Association Board election.
Advanced search of issues seems broken, so sorry that this may be a duplicate.
I have previously used session.cookie_secure with drupal sites to ensure secure authenticated access.
This depends on having different session names for the HTTP and HTTPS sites; otherwise, the HTTP site will not see the session cookie and so overwrite it with a new one. Thus, as soon as an authenticated HTTPS user visits the equivalent HTTP url, their original HTTPS session will be gone from the browser cookiejar.
What I need is either a way to "force" the session name, or, if drupal wants to require auto-generated session names, it needs to check if session.cookie_secure is enabled, and if so, generate different session names for the HTTP and HTTPS sites. I think a patch would be pretty simple.
Or if I'm just going about this the wrong way and no patch is needed please enlighten me :)