Hey
I know this affects version 3.x as well, but this has bugged me for a while.
On an SSL wordpress blog, even using the 'SSL Wordpress' plugin, the secure flag is not set on the wordpress_logged_in cookie.
To set it on cookies, change the file at wp-includes/pluggable.php
setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true);
setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true)
Where it says '$secure_logged_in_cookie' change to '$secure' on both lines.
I think this will muck up sites which don't have SSL support.
Could this maybe be officially fixed in 3.6.1 or something?
Toby