=== modified file 'IkiWiki.pm'
--- IkiWiki.pm	
+++ IkiWiki.pm	
@@ -54,6 +54,7 @@
 	plugin => [qw{mdwn inline htmlscrubber}],
 	timeformat => '%c',
 	locale => undef,
+	sslcookie => 0,
 } #}}}
    
 sub checkconfig () { #{{{

=== modified file 'IkiWiki/CGI.pm'
--- IkiWiki/CGI.pm	
+++ IkiWiki/CGI.pm	
@@ -72,7 +72,12 @@
 		changelog => [rcs_recentchanges(100)],
 		baseurl => baseurl(),
 	);
-	print $q->header(-charset=>'utf-8'), $template->output;
+	if ($config{sslcookie}) {
+		my $cookie = $q->cookie(-secure=>1);
+		print $q->header(-charset=>'utf-8', -cookie=>$cookie), $template->output;
+	} else {
+		print $q->header(-charset=>'utf-8'), $template->output;
+	}
 } #}}}
 
 sub cgi_signin ($$) { #{{{
@@ -204,7 +209,13 @@
 				$form->field(name => "confirm_password", type => "hidden");
 				$form->field(name => "email", type => "hidden");
 				$form->text("Registration successful. Now you can Login.");
-				print $session->header(-charset=>'utf-8');
+				if ($config{sslcookie}) {
+					my $cookie = $session->cookie(-secure=>1);
+					print $session->header(-charset=>'utf-8', 
+								-cookie=>$cookie);
+				} else {
+					print $session->header(-charset=>'utf-8');
+				}
 				print misctemplate($form->title, $form->render(submit => ["Login"]));
 			}
 			else {
@@ -232,12 +243,24 @@
 			
 			$form->text("Your password has been emailed to you.");
 			$form->field(name => "name", required => 0);
+			if ($config{sslcookie}) {
+				my $cookie = $session->cookie(-secure=>1);
+				print $session->header(-charset=>'utf-8',
+							-cookie=>$cookie);
+			} else {
+				print $session->header(-charset=>'utf-8');
+			}
+			print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"]));
+		}
+	}
+	else {
+		if ($config{sslcookie}) {
+			my $cookie = $session->cookie(-secure=>1);
+			print $session->header(-charset=>'utf-8',
+						-cookie=>$cookie);
+		} else {
 			print $session->header(-charset=>'utf-8');
-			print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"]));
-		}
-	}
-	else {
-		print $session->header(-charset=>'utf-8');
+		}
 		print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"]));
 	}
 } #}}}
@@ -314,7 +337,12 @@
 		$form->text("Preferences saved.");
 	}
 	
-	print $session->header(-charset=>'utf-8');
+	if ($config{sslcookie}) {
+		my $cookie = $session->cookie(-secure=>1);
+		print $session->header(-charset=>'utf-8', -cookie=>$cookie);
+	} else {
+		print $session->header(-charset=>'utf-8');
+	}
 	print misctemplate($form->title, $form->render(submit => \@buttons));
 } #}}}
 

=== modified file 'doc/ikiwiki.setup'
--- doc/ikiwiki.setup	
+++ doc/ikiwiki.setup	
@@ -84,4 +84,11 @@
 	#                   sidebar map rst}],
 	# If you want to disable any of the default plugins, list them here.
 	#disable_plugins => [qw{inline htmlscrubber}],
+
+	#Only use cookies over SSL connection. SHould prevent anyone from
+	#stealing your cookie and posing as you. If you use this option
+	#then you must either run the whole wiki over SSL, or have 
+	#a https:// URL for cgiurl above.
+	sslcookie => 0,
+
 }

=== modified file 'doc/security.mdwn'
--- doc/security.mdwn	
+++ doc/security.mdwn	
@@ -134,7 +134,9 @@
 
 Login to the wiki involves sending a password in cleartext over the net.
 Cracking the password only allows editing the wiki as that user though.
-If you care, you can use https, I suppose.
+If you care, you can use https, I suppose. If you do use https either for
+all of the wiki, or just the cgi access, then consider using the sslcookie
+option. This will also prevent your authentication cookie being stolen.
 
 ## XSS holes in CGI output
 

=== modified file 'doc/usage.mdwn'
--- doc/usage.mdwn	
+++ doc/usage.mdwn	
@@ -235,6 +235,13 @@
   subversion checkout. It is unoptimised and quite slow. It is best used
   with --rebuild, to force ikiwiki to get the ctime for all pages.
 
+* --sslcookie
+
+  Only use cookies over an SSL connection. This should prevent them being
+  stolen. If you enable this option then you must run the whole wiki over SSL,
+  or at least the cgi access (i.e. you must a https:// URL for the cgiurl
+  parameter at least).
+
 # AUTHOR
 
 Joey Hess <joey@kitenet.net>

=== modified file 'ikiwiki.pl'
--- ikiwiki.pl	
+++ ikiwiki.pl	
@@ -45,6 +45,7 @@
 			"svnpath" => \$config{svnpath},
 			"adminemail=s" => \$config{adminemail},
 			"timeformat=s" => \$config{timeformat},
+			"sslcookie!" => \$config{sslcookie},
 			"exclude=s@" => sub {
 				$config{wiki_file_prune_regexp}=qr/$config{wiki_file_prune_regexp}|$_[1]/;
 			},