diff --git modules/simpletest/tests/session.test modules/simpletest/tests/session.test
index d947c51..b5e570e 100644
--- modules/simpletest/tests/session.test
+++ modules/simpletest/tests/session.test
@@ -303,7 +303,7 @@ class SessionHttpsTestCase extends DrupalWebTestCase {
   }
 
   public function setUp() {
-    parent::setUp('session_test');
+    parent::setUp('session_test', 'comment');
   }
 
   protected function testHttpsSession() {
@@ -318,7 +318,12 @@ class SessionHttpsTestCase extends DrupalWebTestCase {
       $insecure_session_name = session_name();
     }
 
-    $user = $this->drupalCreateUser(array('access administration pages'));
+    $user = $this->drupalCreateUser(array('access administration pages', 'access comments', 'post comments', 'skip comment approval'));
+    user_role_change_permissions(DRUPAL_ANONYMOUS_RID, array(
+      'access comments' => TRUE,
+      'post comments' => TRUE,
+      'skip comment approval' => TRUE,
+    ));
 
     // Test HTTPS session handling by altering the form action to submit the
     // login form through https.php, which creates a mock HTTPS request.
@@ -456,7 +461,7 @@ class SessionHttpsTestCase extends DrupalWebTestCase {
       }
     }
 
-    // Test that session data saved before login is not available using the 
+    // Test that session data saved before login is not available using the
     // pre-login anonymous cookie.
     $this->cookies = array();
     $this->drupalGet('session-test/get', array('Cookie: ' . $anonymous_cookie));
@@ -482,6 +487,39 @@ class SessionHttpsTestCase extends DrupalWebTestCase {
     // Test that the user is also authenticated on the insecure site.
     $this->drupalGet("user/{$user->uid}/edit", array(), array('Cookie: ' . $insecure_session_name . '=' . $session_id));
     $this->assertResponse(200);
+
+    // Test that tokens can be shared in mixed mode.
+    $this->drupalGet('session-test/drupal-token', array(), array('Cookie: ' . $insecure_session_name . '=' . $session_id));
+    $content = $this->xpath('//div[@id="content"]//div[@class="content"]');
+    $token_plain = trim((string) $content[0]);
+
+    $this->drupalGet($this->httpsUrl('session-test/drupal-token'), array(), array('Cookie: ' . $secure_session_name . '=' . $this->cookies[$secure_session_name]['value']));
+    $content = $this->xpath('//div[@id="content"]//div[@class="content"]');
+    $token_secure = trim((string) $content[0]);
+    $this->assertEqual($token_plain, $token_secure, 'Tokens are shared in mixed HTTPS sessions.');
+
+    // Test form submission using comment module.
+    $node = $this->drupalCreateNode(array('type' => 'article', 'promote' => 1));
+    foreach (array('authenticated', 'anonymous') as $mode) {
+      if ($mode == 'anonymous') {
+        $this->drupalLogout();
+      }
+
+      // Test plain HTTP posting to HTTPS.
+      variable_set('test_secure_comments', TRUE);
+      $this->drupalGet('node/' . $node->nid, array('https' => FALSE));
+      $this->assertFieldByXPath('//form[@class="comment-form" and starts-with(@action, "https:")]', NULL, "The $mode comment form action is https.");
+      $this->drupalPost(NULL, array('comment_body[und][0][value]' => 'test comment'), t('Save'));
+      $this->assertRaw(t('Your comment has been posted.'));
+
+      // Test HTTPS posting to plain HTTP.
+      variable_set('test_secure_comments', FALSE);
+      $this->drupalGet('node/' . $node->nid, array('https' => TRUE));
+      $this->assertUrl(url('node/' . $node->nid, array('https' => TRUE, 'absolute' => TRUE)));
+      $this->assertFieldByXPath('//form[@class="comment-form" and starts-with(@action, "http:")]', NULL, "The $mode comment form action is http.");
+      $this->drupalPost(NULL, array('comment_body[und][0][value]' => 'test'), t('Save'));
+      $this->assertRaw(t('Your comment has been posted.'));
+    }
   }
 
   /**
diff --git modules/simpletest/tests/session_test.module modules/simpletest/tests/session_test.module
index 62b3fbb..4aee235 100644
--- modules/simpletest/tests/session_test.module
+++ modules/simpletest/tests/session_test.module
@@ -61,6 +61,12 @@ function session_test_menu() {
     'access callback' => 'user_is_logged_in',
     'type' => MENU_CALLBACK,
   );
+  $items['session-test/drupal-token'] = array(
+    'title' => 'Display a token',
+    'page callback' => 'drupal_get_token',
+    'access arguments' => array('access content'),
+    'type' => MENU_CALLBACK,
+  );
 
   return $items;
 }
@@ -170,6 +176,21 @@ function session_test_form_user_login_alter(&$form) {
 }
 
 /**
+ * Implements hook_form_FORM_ID_alter().
+ */
+function session_test_form_comment_form_alter(&$form) {
+  if (variable_get('test_secure_comments', FALSE)) {
+    $form['#https'] = TRUE;
+  }
+  else {
+    $url = drupal_parse_url($form['#action']);
+    $url['https'] = FALSE;
+    $url['absolute'] = TRUE;
+    $form['#action'] = url($url['path'], $url);
+  }
+}
+
+/**
  * Implements hook_drupal_goto_alter().
  *
  * Force the redirection to go to a non-secure page after being on a secure