[cookies seem to be working for me after all, despite the error messages] Cookies can have an optional Secure attribute that instructs the user agent to send the cookie only over a secure connection. I can't find anything at all saying that they can only be set by secure connections. This seems strange to me. I'd think that the man in the middle could have fun by giving the user some other session key or whatever when, say, an image is being retrieved over plain http.