See the comments on #961508: Dual http/https session cookies interfere with drupal_valid_token(). Stuck due to adherence to backport policy Please help lobby or contribute to get this resolved if you are able so we can get a real release. People are now using secure login as yet another workaround.