the AUR still handles user logins and sessions in a insecure way that can easily be exploited. The last approach to use https by default was denied a long time ago. But I hope you guys will reconsider this decision.
The optional https access as we have now wont work here. Even if you never forget to add the s to http when you login session data is also transferred via http. So once you click a non-https link to the AUR it would be possible for an attacker to hijack your session.