Shortly after Drupal fixed their issues with cookie demotion, I applied the patch. Unfortunately, since I run both http and https on my site, when I added ini_set('session.cookie_secure', 1) to my settings.php, it caused cookies for my site to get marked as secure even for http visitors. This had the side effect of breaking comments for my site, since the captcha module could not track users that properly solved it. Some of you noticed and contacted me, thanks for the heads up. Check below the fold for some suggestions and solutions for flagging Drupal and other php-based session cookies as secure for mixed sites.