In my situation it is not possible to use force_ssl=1 in the config.ini.php file for more than one reason. One reason are the scripts which are using the API, an other the web cron. I can’t change that! I guess I’m not alone with this problem.
My suggestion is to introduce a special flag only for the web login. For example: force_ssl_login = 1
I think it’s a good idea to separate the ssl flag for the login from the ssl flag for the API and the web cron.
The two reasons I have listetd above: Web cron an API. The scripts which are using the API are running on an old linux server with no possibility for ssl requests. I won’t change this. I’m sure you know the saying “Never touch a running system.”