There's a setting, $wfCookieSecure, that determines whether the cookies used by
mediawiki are supposed to be https only. This setting is not honored for the
session cookie. The interface to do that is new in PHP 4.2.0; as mediawiki now
requires PHP 5, it can be enabled.
Note that there is a similar bug 4731 for the httponly parameter, but that is
new in PHP 5.2 so it might be undesirable to enable that.
OS: Windows XP