If you are visiting an HTTP page, and try to do someting that redirects to login, say, edit a wiki page, and the login page requires HTTPS, the return_url will be http://yoursite/wiki since the code "knows" you are going back to http after you login.
if {[util_complete_url_p $return_url] && ![regexp "^[ad_url]" $return_url]} {
And that works if your register page is HTTPS and you redirect to HTTP. That should cover almost every case. I can't imagine you would have an HTTP login page, but redirect to HTTPS.
Is this reasonable? It checks if the redirect matches the system url as specified in the acs-kernel parameters.