I think there's a tiny typo in the new security check in admin/access.py. Should be "is_https", correct?
if request.env.http_x_forwarded_for or request.is_http:
session.secure()
http://code.google.com/p/web2py/source/browse/applications/admin/models/access.py#13
