Scenario:
- I'm logged out of Ministry (all cookies deleted).
- I log into Ministry through the http:// protocol
- I realise I'm on a non-encrypted connection and manually change http into https.

Expected behaviour:
- I need to re-login on the secured connection.

Actual behaviour
- I'm still logged in.

So, what does this mean?
It means that the https connection to Kronosaur is only window dressing as secure. If I can downgrade my connection at will (even for a login), there is hardly any security benefit of supporting https.

How to solve?
Add the httpOnly only flag for cookies. Failing that, at the very least at the httpOnly flag for 'remember-me' cookies.

Set-Cookie: mycookie=somevalue; path=/securesite/; Expires=12/12/2010; secure; httpOnly; 

How serious is this flaw?
Well, it depends. Do you want the benefits of https?
- if no: no issue here.
- if yes: you need to fix this, because currently this issue is negating a good part of the benefits of https.

I'm pretty sure I could unearth a lot more problems, but the Terms of Service forbid any digging.