--- a/web/application.py	Wed Oct 20 17:37:00 2010 +0200
+++ b/web/application.py	Thu Oct 21 08:23:38 2010 +0200
@@ -216,6 +216,8 @@
         session = self.session_manager.open_session(req)
         cookie = req.get_cookie()
         cookie[self.SESSION_VAR] = session.sessionid
+        if req.https:
+            cookie[self.SESSION_VAR]['secure'] = True
         req.set_cookie(cookie, self.SESSION_VAR, maxage=None)
         if not session.anonymous_session:
             self._postlogin(req)