the password reset form creates an authenticated session, and therefore should be securable.  also make password request and contact forms securable.

delete new setting in the drupal 6 branch on upgrade; make a high-security configuration the default.

set secure base URL to NULL by default; this allows database dumps to be used at other URLs without modification as long as SSL is functional.

remove the redirect feature. it requires mixed-mode sessions which are no longer supported in favor of truly "secure" login sessions.

register form may be a login form, depending on site configuration; also fix a bug in register form setting

Add a warning if $conf['https'] is TRUE; make it clear that some forms need to be secure for basic functionality to work

Add hook_url_outbound_alter() implementation to make it easier to generate secure URLs. Support core's $form['#https'] and $options['https'] for forms and URLs respectively.