diff --git a/includes/common.inc b/includes/common.inc
index 0ab9c39..a03573f 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -5062,6 +5062,13 @@ function drupal_get_private_key() {
  * @see drupal_get_hash_salt()
  */
 function drupal_get_token($value = '') {
+  // For mixed HTTP(S) sessions, use a constant identifier so that tokens can be shared between protocols.
+  if (variable_get('https', FALSE) && $GLOBALS['is_https'] && isset($_COOKIE[substr(session_name(), 1)])) {
+    $session_id = $_COOKIE[substr(session_name(), 1)];
+  }
+  else {
+    $session_id = session_id();
+  }
   return drupal_hmac_base64($value, session_id() . drupal_get_private_key() . drupal_get_hash_salt());
 }
 
diff --git a/includes/form.inc b/includes/form.inc
index fcfc796..e1d8ad4 100644
--- a/includes/form.inc
+++ b/includes/form.inc
@@ -1137,6 +1137,10 @@ function drupal_validate_form($form_id, &$form, &$form_state) {
       return;
     }
   }
+  // Ensure the correct protocol when #https is set.
+  if (!empty($form['#https']) && !$GLOBALS['is_https']) {
+    form_set_error(NULL, t('This form requires HTTPS. Contact the site administrator if the problem persists.'));
+  }
 
   _form_validate($form, $form_state, $form_id);
   $validated_forms[$form_id] = TRUE;