I know this is an old question, but our team ran into it recently and
found a solution that may be helpful to others. I decompiled AEM's
TokenUtil class and tried to find the place where the login-token cookie
is set, and the secure flag is set or not based on the request's
isSecure() method. If the request is secure, then the flag is set.
Otherwise, it's not. So the question really becomes: how do we get the
request to be marked as secure. It ends up there's a few solutions here.
The first is t...