I'm bumping up against a problem in the session.secure() implementation. If a session is secured, and then the app is hit with an http request, the session is blown out. This happens even if the session isn't modified by the http request and even if it is immediately redirected to https.
The consequence of this is that using request.requires_https() or any other SSL enforcement will cause users to be repeatedly logged out if they're not accessing the site directly through HTTPS. For instance, if I go to (http://)twitter.com, Twitter forces a redirect to https://twitter.com, and if i was logged in before my session will still be there. Right now it seems impossible to do this with web2py. --
