diff --git a/trac/web/auth.py b/trac/web/auth.py
--- a/trac/web/auth.py
+++ b/trac/web/auth.py
@@ -59,6 +59,11 @@
     ignore_case = BoolOption('trac', 'ignore_auth_case', 'false',
         """Whether login names should be converted to lower case
         (''since 0.9'').""")
+
+    secure_auth_cookie = BoolOption('trac', 'secure_auth_cookie', 'false',
+        """When true, set the `secure` flag on the `trac_auth` authentication
+        cookie so that it is only sent back on HTTPS connections
+        (''since 0.11.2'').""")
 
     # IAuthenticator methods
 
@@ -144,6 +149,8 @@
         req.authname = remote_user
         req.outcookie['trac_auth'] = cookie
         req.outcookie['trac_auth']['path'] = req.base_path or '/'
+        if self.secure_auth_cookie:
+            req.outcookie['trac_auth']['secure'] = True
 
     def _do_logout(self, req):
         """Log the user out.