Caution: https is a reserved feature for securised website. If the website has no security controle system, that's for nothing to add the "s" after http.
It was just an example; of course if you don't have https connection, there should be 'http://'.
Actually, CSRF/XSRF issue is related to this thing: you should have the same value in $main_url as you're entering the forum from. If it starts with a subdomain, then only subdomain without www should be listed there. It should be absolutely equal to the domain you're entering credentials from. And yes, if you system is tied up with another logins system, you may modify cookie settings so they correspond to the system you're using.