When $wgSecurelogin is true, the login has the checkbox "Stay connected to HTTPS after login".
If this option is left unchecked, the user's session cookie is set with the secure flag, but the user is then forwarded to http, and loose their session.
If you have not patched bug 40995, then you will often not see this, since the session frequently will be started under an insecure connection, and is not refreshed on login.
Version: 1.21.x
Severity: normal