I'm facing the same situation: my board is accessible both over HTTP and over HTTPS, whatever the user chooses. Currently I can confirm that:
- Cookie secure: off - works fine in this scenario
- Cookie secure: on - creates problems when the user request the board via HTTP
- With Cookie secure: off, the user ALWAYS get plain, unencrypted cookies, even if the negotiation is done via HTTPS
Edit: I created a ticket for this.