Have not read the thread but 1st observations are:
1. Collecting account info in registration over http == bad
2. Registration says, now go logon; come-on why didnt you set the session cookie?
3. Collecting user id and password over http for logon means it can be taken.
4. Session cookies over http mean they can be taken even if you send creds over https.
5. Tried to logon after registration and was told account would lockout in 5 tries, sure I entered right password why cant I log in.
6. Tried to logon again still said bad password and lockout in 5 times, shouldnt it be 4?