Hi, here's a drupal-5 patch that could use a quick review, if anyone has a moment: http://drupal.org/node/170310 quick summary of the patch: If and only if session.cookie_secure is enabled, unique session names will be generated for HTTP and HTTPS sites sharing the same cookie domain, e.g. http://site.example.com/ and https://site.example.com/. For most sites, which don't have session.cookie_secure enabled, there will be no difference in behavior. Until Drupal 5.2, it was possible to set different session names so separate HTTP and HTTPS sessions could co-exist on the browser. This is the user-friendly way to take advantage of session.cookie_secure, while still offering an HTTP url for anonymous visitors. If you use identical session names, as Drupal 5.2 forces you to do, the authenticated HTTPS session will be wiped out from the browser cookie jar if the user visits an HTTP url during her/his session (which could happen easily if e.g. an administrator views a page via normal URL while doing administration work). --mark