Session not saving when moving from ssl to non-ssl
I figured this out. Cake was switching the session.cookie_secure ini value on-the-fly while under SSL connections automatically, So the cookie being created was a secure cookie, which the second page wouldn't recognize.
Solution, comment out /cake/lib/session.php line 420 ish:
ini_set('session.cookie_secure', 1);
(Just search for that to find it, as I'm sure the line # will change as releases come out.)
While the accepted answer meets the OP's desire to "move people off of SSL once logged in" - it's horribly insecure in that it exposes the user session to hijacking (See Firesheep for an easy exploit).
A better compromise between the default behavior of CakePHP (which requires all pages to be served SSL after a user authenticates over SSL) and the accepted answer (which serves all authenticated pages unencrypted and exposes the authenticated cookie) is to serve pages encrypted over SSL if and only if they require authentication.
An easy way to accomplish this is to maintain two session cookies - one that is served secure and holds the authentication information and another which is served insecure. A simple implementation to support such a dual-session approach will use a session_handler to override the session.name like so:
if (env('HTTPS')) {
ini_set('session.name', Configure::read('Session.cookie').'-SECURE');
}else{
ini_set('session.name', Configure::read('Session.cookie'));
}
One item to keep in mind with this approach is that to link from a non-SSL page directly to a page that requires authentication will require you to explicitly link using https - since you'll need to send the session cookie containing the authentication information and the browser will only do so if the link is encrypted.
First of all, do I understand correctly that the second login is using the exact same mechanism as the first (via HTTPS)?
Does the first hit on a unsecured page create a new session, in addition to the one created during login?
Check if, on first login, the cookie is not set with the Secure flag (that means that the cookie should only be sent over a secured (HTTPS) connection).