uffd silently fails without TLS
The cookie is sent with the Secure flag, so it doesn't work if not using https (e.g. testing). So, login silently fails and it is hard to track down why.
Some possible solutions:
- don't send it with Secure flag - maybe make this a config option for the admin
- if the login form is POSTed over http, catch this and display an error
- or just document in the README that TLS is required.
Thanks! -davidc