try to couple some way HttpAdapter's httpOnly option and AuthProvider's useLimitedToken do not send secure cookies over non-secure channel