Potencial solution: Only set secure cookies in shared session mode with Force HTTPS to all site.

No. Do not do this.

its 2017, there is simply no reason to ONLY use ssl on the admin side and not the frontend.

The correct solution would be to remove the ability to force https on admin only, leaving force ssl on everything, or nothing.

@PhilETaylor generally i agree with you, but i also know some admins that use https in the backend only with self signed certificate.
Also that's a B/C break imo.

So as much i would prefer it, i think we cannot do that.

We could in 4.0 whatever year that will be :)

This is a relatively new feature so b/c is less of an issue - if you wanted you could say that this is a bug you are fixing and not a break :)

However I think it is a wrong concept to think that a session can be shared between http and https sessions. All that needs to be done is to update the documentation for this feature to explain that

I am against the idea to remove the option to force SSL for the admin only.

If you have any social media buttons on your page, e.g. Facebook like button, which has likes for the http URL, all likes will be lost when chaning to https URL, because those are fifferent from their point of view. You have to mess around with redirects, possibly even user agent specific redirecs, to come out of this mess, or you have to make the admin unsecure by not forcing SSL at all.

And for me the curent behavior aleways was OK. I never had the expectation that when I have an SSL session in the backend and an non-SSL in the frontend, that I can share this login. For me it made sense that it is 2 different logins, SSL and non-SSL.

And so I agree with Brian, update the docs if necessary and all is fine.

But maybe I am wrong.

new PR #16514