@Halfak and I noticed this earlier.
- Log in to a Wikimedia wiki
- Browse to /w/api.php?action=query&meta=userinfo via HTTP (not HTTPS)
- See "You are centrally logged in. Reload the page to apply your user settings."
- Reload page
- No change. The login would've happened over HTTPS but this is unencrypted.
- Load page via HTTPS instead
- Now you're shown as logged in