I don't see that as the biggest problem. If we repeat what was said in the above comment:

> ...disable secure cookies ... for self-signed certs. ... the user ... enable[s] them.

So you make a self-signed cert for your website which needs secure login, and you tell your users to turn on secure cookies so that you can safely store their credentials in the browser. Then your website gets MITM'ed with another self-signed cert, which either

  1. can access the same cookies, because the domain is the same
  2. can't, because the cert is different

But in the second case, you've already conditioned users to log in to your website with the cert being self-signed, so they'll just log in again. If the browser complains that the attacker's cert isn't the same as the old cert, or makes the user re-enable secure cookies with a warning, then the user has been conditioned to do that too - and an extra message of "we changed the cert, ignore your security warnings" will convince lots of users with doubts.