If I enable "Force SSL Administration", wouldn't it also be sensible to have the "wordpress_logged_in_HASH" cookie be set to "Secure"? Or maybe not have it set at all, as when using HTTPS, WordPress should fall back to "wordpress_sec_HASH", as far as I understood the code.
Maybe add this as an option, as I am aware that I can't be browsing the content of the site via HTTP as a logged-in user in this case.
As the auth-cookies of WordPress are known to be weak, I'd really like to prevent any of those cookies ever been sent via HTTP. Even if it is only me forgetting to log-out or loading some content (e.g. an image) via HTTP instead of HTTP from the domain.
Would be an important improvement, in my opinion.
Thanks for your consideration!