--- a/web/application.py	Thu Oct 21 18:38:36 2010 +0200
+++ b/web/application.py	Fri Oct 22 09:15:35 2010 +0200
@@ -216,7 +216,7 @@
         session = self.session_manager.open_session(req)
         cookie = req.get_cookie()
         cookie[self.SESSION_VAR] = session.sessionid
-        if req.https:
+        if req.https and req.base_url().startswith('https://'):
             cookie[self.SESSION_VAR]['secure'] = True
         req.set_cookie(cookie, self.SESSION_VAR, maxage=None)
         if not session.anonymous_session: