How do you pass session around? hidden fields: works. cookies: I think http cookies are also sent to https. url field: works.

Keep in mind that login.cgi should not *submit* to http: and then redirect to https:... It's already sent the login info in the clear!