Index: paste/auth/cookie.py
===================================================================
--- paste/auth/cookie.py	(revision 5881)
+++ paste/auth/cookie.py	(working copy)
@@ -220,6 +220,14 @@
             or list of environment keys will work.  However, be
             careful, as the total saved size is limited to around 3k.
 
+        ``universal``
+
+            Set this to True if you want the cookie to be usable for both
+            HTTPS and normal HTTP connections. This is useful if you first
+            want to set the authentication cookie via HTTPS but want to use
+            it on non-HTTPS parts of the site as well. This controls the
+            'Secure' flag of the cookie.
+
         ``signer``
 
             This is the signer object used to create the actual cookie
@@ -237,13 +245,14 @@
     environ_class = AuthCookieEnviron
 
     def __init__(self, application, cookie_name=None, scanlist=None,
-                 signer=None, secret=None, timeout=None, maxlen=None):
+                 signer=None, secret=None, timeout=None, maxlen=None, universal=False):
         if not signer:
             signer = self.signer_class(secret, timeout, maxlen)
         self.signer = signer
         self.scanlist = scanlist or ('REMOTE_USER','REMOTE_SESSION')
         self.application = application
         self.cookie_name = cookie_name or self.cookie_name
+        self.universal = universal
 
     def __call__(self, environ, start_response):
         if self.environ_name in environ:
@@ -291,7 +300,7 @@
                 content = ";".join(content)
                 content = self.signer.sign(content)
                 cookie = '%s=%s; Path=/;' % (self.cookie_name, content)
-                if 'https' == environ['wsgi.url_scheme']:
+                if not self.universal and 'https' == environ['wsgi.url_scheme']:
                     cookie += ' secure;'
                 response_headers.append(('Set-Cookie', cookie))
             return start_response(status, response_headers, exc_info)