diff --git a/access.lua b/access.lua
index 0967eca..8148874 100644
--- a/access.lua
+++ b/access.lua
@@ -391,6 +391,15 @@ end
 -- The default is to protect every URL by default.
 --
 
-hlp.flash("info", hlp.t("please_login"))
-local back_url = ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri .. hlp.uri_args_string()
+-- Only display this if HTTPS. For HTTP, we can't know if the user really is
+-- logged in or not, because the cookie is available only in HTTP...
+if ngx.var.scheme == "https" then
+    hlp.flash("info", hlp.t("please_login"))
+end
+
+-- Force the scheme to HTTPS. This is to avoid an issue with redirection loop
+-- when trying to access http://main.domain.tld/ (SSOwat finds that user aint
+-- logged in, therefore redirects to SSO, which redirects to the back_url, which
+-- redirect to SSO, ..)
+local back_url = "https://" .. ngx.var.host .. ngx.var.uri .. hlp.uri_args_string()
 return hlp.redirect(conf.portal_url.."?r="..ngx.encode_base64(back_url))